[Samba] Security token SIDs does not contain the right SID for users in username map

Thu Oct 28 17:09:00 UTC 2021

On Thu, Oct 28, 2021 at 1:56 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 2021-10-28 at 13:25 -0300, tizo wrote:
> >
>
> > In our scenario there is an AD DC (Windows Server 2012 R2), and an
> > independent FreeIPA. The first is used for Windows computer users,
> > and the second for Ubuntu computer users.
>
> Why ? you could have used the AD for everything, you do not really need
> freeipa.
>
> >  Users exist on both systems, and should be mapped in the file server
> > (Samba).
>
> If you only had one authentication server, you wouldn't need to map
> anything.
>
> > We  don't have (we will, but not yet) a Samba AD at this time, and it
> > is not our intention to have one right now.
>
> Fair enough.
>
> >
> > As for the above, and your information, we should use the 'ad' idmap
> > backend and not use "username map".
>
> From the sound of it, yes, it is probably the only way to get the same
> ID's everywher.
>
> >
> > In other order, we know how 'tdb' works, and we know that static
> > mappings can be done too (aside from the automatic allocation), with
> > "net idmap restore" for example. In fact, in our actual solution
> > (with Samba 3.6.23),
>
> For a start, if you are still using 3.6.23, then you shouldn't, it is
> dead and littered with numerous serious bugs. Having said that, you
> should have been using one of the winbind backends other than tdb.
>

And that is why we are trying to migrate to the actual version (posted in
the first email).

>
> Yes, you can use 'net idmap restore', but the '*' domain is only really
> meant for the Well Known SIDs and anything outside the 'DOMAIN' domain
> and it doesn't really matter if they get different ID's
>
> >  we are using it with the static mappings, and all is working right.
> > As for that, at first we thought of using the same method and mapping
> > (the transition should be much easier). So our question is, why is it
> > not working with the actual version. More precisely, why the AD SID
> > of a user that is in the username map is not in his security token
> > SIDs (the problem does not exist if the username is the same on both
> > systems, so he doesn't have a line in the username map).
>
> It is quite possible that the AD has one SID and the freeipa has a
> different one. The usernames may be the same, but they are different
> users to AD and freeipa.
>

Our FreeIPA has no SIDs. In fact, I am quite sure that, from the point of
view of Samba in our solution, we could consider the FreeIPA users as local
users, and the results would be the same. I have not tested it, but I think
so.

>
> If you had just used one Authentication server, you would not be having
> your problems now.
>

We will, in the future. It will be the FreeIPA server, and a Samba AD
running on top of that I guess. But this is not that time, and we are just
trying to migrate our actual file server with the actual solution.

I think we will try the solution with the AD backend to see what happens.
Thanks very much Rowland!

>
>