[Samba] Get last uidNumber
abartlet at samba.org
Mon Feb 15 03:50:13 UTC 2021
On Sun, 2021-02-14 at 22:27 -0500, Jonathon Reinhart wrote:
> On Sun, Feb 14, 2021 at 6:48 PM Andrew Bartlett <abartlet at samba.org>
> > On Tue, 2020-11-03 at 11:38 -0500, Jonathon Reinhart via samba
> > wrote:
> > > See this post where Rowland suggested using these attributes to
> > > store
> > > the maximum value in LDAP. (These are not automatically
> > > calculated,
> > > your script would need to keep them updated.)
> > >
> > > - msSFU30MaxUidNumber
> > > - msSFU30MaxGidNumber
> > Just be aware that these are not multi-master update safe to
> > update.
> > If your domain can get out of sync, just be aware that if your tool
> > is
> > pointed at an 'older' DC, it could allocate the same UID twice.
> Thanks for the heads up. Am I correct that this is problematic even
> without the atomic update problem you mention below?
Yes, the atomic update only helps on the single DC. The joys of multi-
> Let's assume that msSFU30MaxUidNumber is being updated atomically
> (from the perspective of the LDAP server serving adman's requests).
> I understand your concern correctly, the following sequence could
> - msSFU30MaxUidNumber = 1000
> - Adman connects to DC1, assigns UID=1000 to a user, and atomically
> increments msSFU30MaxUidNumber to 1001
> - Before the replication completes, Adman connects to DC2, sees the
> old value of msSFU30MaxUidNumber = 1000, and assigns a duplicate
> UID=1000 to a different user
> - msSFU30MaxUidNumber = 1001
> I have a cron job that runs Adman every minute. Since Adman looks up
> the LDAP server via the SRV record  (and doesn't sort them), it's
> possible that it could choose a different DC the next time. And I
> guess if replication was being pokey, this scenario could happen.
> I'm not sure how to best resolve this. Perhaps one mitigating method
> would be to always target the DC with the PDC emulator FSMO role.
> I've opened issue adman#23  to track this.
I recommend RID based allocation, always take the user RID and add a
base. Ideally record that base in the trustPosixOffset attribute.
> > > https://lists.samba.org/archive/samba/2019-June/223499.html
> > >
> > > But also, check out my project ADMan, which does several things,
> > > one
> > > of which is assign uidNumber / gidNumber attributes to new users:
> > >
> > > https://gitlab.com/JonathonReinhart/adman/
> > Cool.
> > One thing I would love is to get the uidNumber/gidNumber assignment
> > into Samba. I would use something like the algorithm from
> > idmap_sssd
> > to pick a 'pretty much likely to be unique UID' based on the RID
> > and
> > then store it forever in the uidNumber.
> One mistake I would love to go back in time to rectify is the
> suggested UID/GID ranges. I first asked about this here . I'm
> currently using 100000-200000 for both uidNumber and gidNumber. While
> this is fine for most use cases, it does preclude the use of SSSD's
> "automatic user private groups" feature which, if enabled
> (auto_private_groups = true), makes it such that "every AD user has a
> GID which is identical to the UID."   For that reason, I wish I
> had gone with disjoint ranges.
Well, if you move to RID based, as users and group share a RID space,
this becomes available again (for new users). I agree, keeping UIDs
and GIDs as a single number space is preferable.
> > In the meantime I would suggest to try to do an LDAP atomic update
> > of
> > the msSFU30MaxUidNumber regardless.
> > See https://ldapwiki.com/wiki/LDIF%20Atomic%20Operations for what I
> > mean.
> Cool. I had briefly considered the atomicity problems, but kind of
> ignored them, as Adman is the only agent in my network updating these
> fields. But this would be a great improvement. I actually identified
> another related problem while looking at this. I opened adman#24 
> to track.
> > Sadly Samba as an ideal POSIX directory remains on my 'todo' list.
> > Some ideas are here:
> > https://wiki.samba.org/index.php/Better_Posix_AD
> Yep. If people are running Samba AD DCs, they're almost certainly
> running POSIX clients/servers too. If Samba managed some/all of this
> automatically, it would save a lot of start-up hassle.
I would love someone to make a start on this :-).
> Not having to know intimate details (like Rowland's favorite: Don't
> assign gidNumber to Domain Admins b/c it owns things in SYSVOL) would
> save a lot of mailing list traffic.
> Thanks for taking a look and offering insight!
You are welcome,
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba