[Samba] Security token SIDs does not contain the right SID for users in username map

tizo tizone at gmail.com
Thu Oct 28 16:25:57 UTC 2021 

> This all depends, is there an AD DC anywhere in your setup ? Or are you
> just getting authentication from freeipa ?
>
> As far as I am aware, freeipa only does authentication, which is okay,
> because Samba also only wants you to use a Samba AD DC for
> authentication. However freeipa is never likely to give you what an AD
> DC will.
>
> If you use the winbind 'rid' or 'autorid' backends, the Unix ID will be
> calculated from the RID taken from the SID (does freeipa have SIDs ?)
> and if you use the same 'global' part of the smb.conf on all Samba
> machines, then you will always get the same ID's without adding
> anything to AD.
>
> If you use the 'ad' backend, then you need to add RFC2307 attributes to
> AD and these will be used on all Samba machines.
>
> NOTE: AD above could be freeipa.
>
> At the moment you are using the 'tdb' backend and this is an allocating
> backend, that is, when a user or group contacts the Samba server, it
> gets allocated the next available ID, this means you will get different
> ID's on different machines and even worse, if the Samba database on the
> machine gets corrupted, the users and groups are likely to get
> different ID's.
>
> I do not use freeipa, so know little about it, so a bit of
> investigation may be worth doing. As far as I am aware, freeipa is
> really ldap on steroids, just not as far as Samba AD.
>
> Rowland
>
>
In our scenario there is an AD DC (Windows Server 2012 R2), and an
independent FreeIPA. The first is used for Windows computer users, and the
second for Ubuntu computer users. Users exist on both systems, and should
be mapped in the file server (Samba). We  don't have (we will, but not yet)
a Samba AD at this time, and it is not our intention to have one right now.

As for the above, and your information, we should use the 'ad' idmap
backend and not use "username map".

In other order, we know how 'tdb' works, and we know that static mappings
can be done too (aside from the automatic allocation), with "net idmap
restore" for example. In fact, in our actual solution (with Samba 3.6.23),
we are using it with the static mappings, and all is working right. As for
that, at first we thought of using the same method and mapping (the
transition should be much easier). So our question is, why is it not
working with the actual version. More precisely, why the AD SID of a user
that is in the username map is not in his security token SIDs (the problem
does not exist if the username is the same on both systems, so he doesn't
have a line in the username map).

More information about the samba mailing list