[Samba] ad-backend: uidNumber set too late

L.P.H. van Belle belle at bazuin.nl
Fri Sep 3 07:56:03 UTC 2021 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Viktor Trojanovic via samba
> Verzonden: vrijdag 3 september 2021 9:28
> Aan: samba
> Onderwerp: [Samba] ad-backend: uidNumber set too late
> 
> Hi,
> 
> I'm using Samba in a domain using the ad backend.
> 
> Sometimes it happens that I create a new user and forget to set the
> uidNumber attribute right away. As far as Windows Server resources are
> concerned, that doesn't matter but as soon as I start giving this user
> access to resources on a Samba server, specifically on files 
> using Windows
> ACL permissions, things don't work as expected until I realize that I
> forgot to set the uidNumber.

Hahaha.. I known that problem also.. 
A strick order when your creating users helps. 

This is script i made to fix it all. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-fix-userhome-recursive.sh

Read it, adjust it to you needs. 
There might be a better way, but this works for me. 
Do note, the scripts reset's all users when you run it. 
I use it on debian/ubuntu. 

> 
> Typically, in such a situation, I have to set the uidNumber 
> attribute for
> the user, remove all permissions for the user on Samba 
> machines and set them again from scratch.
What i do is, just delete the folder, set the UID/GIDS again. 
And change one thing in homedir/profiles setting and windows recreated the folder. 
(windows just needs to detect a change in these fields to show the apply buttom)
Add remove a space is sufficient. 

> 
> I wonder, is there another, maybe better way to correct such 
> a situation?
Make a script like make or use mine and change it to your needs. 

> 
> And a follow-up question to this. Back in the day, I was under the
> impression that the ad backend is the "best" backend to use. 
In my opionion, yes it still is.. 


> After having
> followed several discussions on the topic on the list over 
> the past few
> years, it seems to me that the ad backend may have its 
> advantages in hybrid
> environments where domain users need access to Linux 
> machines. But other
> than that, RID seems better suited and easier to manage in 
> single-domain
> environments where users only ever log on to Windows machines but may
> access file shares on Samba servers. Feel free to correct me on this
> impression.

How i see it to use RID or AD. 
If its just windows your using and no underlaying links between servers.
RID is sufficient, but if you do linux stuff also or link servers nfs etc. 
AD is in my opionon better because its just more consistant. 

I dont know it this still applies but.. My one and only reason for using 
Backend AD is... 

IDs are only cached locally, they are stored in the AD database on DC's. 
This means that if the local cache becomes corrupt the file ownerships are not lost.

And i have had it once that my server broke down, resulting in i lost my ACLS.. 
But it a choice, RID also improved to be more consistant with the assigned UID/GIDS,
In de beginnen of it, the UID/GIDS where not the same on different server, now they are
If you use the samba settings in smb.conf 

> 
> So, say I decided to move from the ad backend to the rid 
> backend, which steps would be involved?
I suggest you think very carefully first, or tell us more what your using in the network.

> 
> And one last point: In my opinion, the Wiki pages on the 
> various id mapping
> backends are not clear enough and in certain points maybe 
> even outdated.
> 
> As a concrete example, in the Wiki page to the ad backend it is stated
> that "If the Windows Active Directory Users and Computers 
> (ADUC) program is
> not used, you have to manual (sic!) track ID values to avoid 
> duplicates."

Agreed yes, Rowland made the code for it but as far i know its not in samba.


> With Windows 10 being the current and recommended version of 
> Windows, this
> information is no longer true. You have to track the ID 
> values manually in either case.
I have 1 windows 7 pc to manage my AD, only reason why i have 1 win7.
Exacly because what your point out here. The lack of ID tracking in AD.

> 
> As a more experienced Samba user, I see the Wiki page in a 
> different light
> today than 5-6 years ago. But for new users, I still feel the 
> content on
> these pages could be better structured and offer more 
> guidance. Why not
> give a concise summary, describing when the user should 
> prefer this one
> backend over another? And when it comes to listing advantages and
> disadvantages, I wish that it would be made clearer that some of them
> really only apply if domain users are going to work on Linux 
> domain-joined machines.
> 
> Oh, and by the way, I'm more than happy to help with some of 
> this myself if  I get edit access to the Wiki.

Thats always welkom :-) 


Greetz, 

Louis

More information about the samba mailing list