[Samba] Security token SIDs does not contain the right SID for users in username map

[Rowland Penny]

On Thu, 2021-10-28 at 11:55 -0300, tizo wrote:
> 
> 
> > No, that is, in my opinion, totally wrong, you cannot use 'tdb' for
> > the
> > 'DOMAIN' backend, you need to use the 'rid', 'autorid' or 'ad'
> > backend.
> > You also do not map the users in the user.map, you just make the AD
> > users into Unix users by using using the correct winbind backend.
> > 
> 
>  
> Rowland, thanks for your quick response. Then I guess that for our
> case, we should use the 'ad' backend, as of the three you mention is
> the only one capable of mapping to specific UIDs, right?.

This all depends, is there an AD DC anywhere in your setup ? Or are you
just getting authentication from freeipa ?

As far as I am aware, freeipa only does authentication, which is okay,
because Samba also only wants you to use a Samba AD DC for
authentication. However freeipa is never likely to give you what an AD
DC will.

If you use the winbind 'rid' or 'autorid' backends, the Unix ID will be
calculated from the RID taken from the SID (does freeipa have SIDs ?)
and if you use the same 'global' part of the smb.conf on all Samba
machines, then you will always get the same ID's without adding
anything to AD.

If you use the 'ad' backend, then you need to add RFC2307 attributes to
AD and these will be used on all Samba machines.

NOTE: AD above could be freeipa.

At the moment you are using the 'tdb' backend and this is an allocating
backend, that is, when a user or group contacts the Samba server, it
gets allocated the next available ID, this means you will get different
ID's on different machines and even worse, if the Samba database on the
machine gets corrupted, the users and groups are likely to get
different ID's.

I do not use freeipa, so know little about it, so a bit of
investigation may be worth doing. As far as I am aware, freeipa is
really ldap on steroids, just not as far as Samba AD.

Rowland