[Samba] Security token SIDs does not contain the right SID for users in username map

Rowland Penny rpenny at samba.org
Thu Oct 28 16:55:46 UTC 2021 

On Thu, 2021-10-28 at 13:25 -0300, tizo wrote:
> 

> In our scenario there is an AD DC (Windows Server 2012 R2), and an
> independent FreeIPA. The first is used for Windows computer users,
> and the second for Ubuntu computer users.

Why ? you could have used the AD for everything, you do not really need
freeipa.

>  Users exist on both systems, and should be mapped in the file server
> (Samba). 

If you only had one authentication server, you wouldn't need to map
anything.

> We  don't have (we will, but not yet) a Samba AD at this time, and it
> is not our intention to have one right now.

Fair enough.

> 
> As for the above, and your information, we should use the 'ad' idmap
> backend and not use "username map".

>From the sound of it, yes, it is probably the only way to get the same
ID's everywher.

> 
> In other order, we know how 'tdb' works, and we know that static
> mappings can be done too (aside from the automatic allocation), with
> "net idmap restore" for example. In fact, in our actual solution
> (with Samba 3.6.23),

For a start, if you are still using 3.6.23, then you shouldn't, it is
dead and littered with numerous serious bugs. Having said that, you
should have been using one of the winbind backends other than tdb.

Yes, you can use 'net idmap restore', but the '*' domain is only really
meant for the Well Known SIDs and anything outside the 'DOMAIN' domain
and it doesn't really matter if they get different ID's

>  we are using it with the static mappings, and all is working right.
> As for that, at first we thought of using the same method and mapping
> (the transition should be much easier). So our question is, why is it
> not working with the actual version. More precisely, why the AD SID
> of a user that is in the username map is not in his security token
> SIDs (the problem does not exist if the username is the same on both
> systems, so he doesn't have a line in the username map).

It is quite possible that the AD has one SID and the freeipa has a
different one. The usernames may be the same, but they are different
users to AD and freeipa.

If you had just used one Authentication server, you would not be having
your problems now.

Rowland

More information about the samba mailing list