[Samba] ad-backend: uidNumber set too late

Rowland Penny rpenny at samba.org
Fri Sep 3 08:18:44 UTC 2021


On Fri, 2021-09-03 at 09:27 +0200, Viktor Trojanovic via samba wrote:
> Hi,
> 
> I'm using Samba in a domain using the ad backend.
> 
> Sometimes it happens that I create a new user and forget to set the
> uidNumber attribute right away. As far as Windows Server resources
> are
> concerned, that doesn't matter but as soon as I start giving this
> user
> access to resources on a Samba server, specifically on files using
> Windows
> ACL permissions, things don't work as expected until I realize that I
> forgot to set the uidNumber.
> 
> Typically, in such a situation, I have to set the uidNumber attribute
> for
> the user, remove all permissions for the user on Samba machines and
> set
> them again from scratch.

I don't fully understand that, surely if you are using the 'ad' backend
on a Unix domain member, then your user without a uidNumber attribute
would be unknown and couldn't own anything.

> 
> I wonder, is there another, maybe better way to correct such a
> situation?
> 
> And a follow-up question to this. Back in the day, I was under the
> impression that the ad backend is the "best" backend to use. After
> having
> followed several discussions on the topic on the list over the past
> few
> years, it seems to me that the ad backend may have its advantages in
> hybrid
> environments where domain users need access to Linux machines. But
> other
> than that, RID seems better suited and easier to manage in single-
> domain
> environments where users only ever log on to Windows machines but may
> access file shares on Samba servers. Feel free to correct me on this
> impression.

All of the winbind backends have their advantages and disadvantages:

The 'ad' backend, along with ensuring that the ID's are the same
everywhere, allows for different shells & home directory per user.
However, you have to manually add the rfc2307 attributes

The 'rid' backend allows for the same Unix ID's everywhere, provided
you use the same smb.conf everywhere. You do not have to add anything
to AD. You will have to use the same shell & home directory for every
user.

The 'autorid' backend is similar to the 'rid' backend but allows for
multiple domains and is the easiest to set up.

> 
> So, say I decided to move from the ad backend to the rid backend,
> which
> steps would be involved?

You would have change the smb.conf (the easy part) and then change the
permissions on the data.

> 
> And one last point: In my opinion, the Wiki pages on the various id
> mapping
> backends are not clear enough and in certain points maybe even
> outdated.
> 
> As a concrete example, in the Wiki page to the ad backend it is
> stated
> that "If the Windows Active Directory Users and Computers (ADUC)
> program is
> not used, you have to manual (sic!) track ID values to avoid
> duplicates."
> With Windows 10 being the current and recommended version of Windows,
> this
> information is no longer true. You have to track the ID values
> manually in
> either case.

I have changed that, thanks for pointing it out :-)

> 
> As a more experienced Samba user, I see the Wiki page in a different
> light
> today than 5-6 years ago. But for new users, I still feel the content
> on
> these pages could be better structured and offer more guidance. Why
> not
> give a concise summary, describing when the user should prefer this
> one
> backend over another? And when it comes to listing advantages and
> disadvantages, I wish that it would be made clearer that some of them
> really only apply if domain users are going to work on Linux domain-
> joined
> machines.

Quite a lot of the Samba wiki is based on Unix domain joined machines,
but perhaps it could be phrased better.

> 
> Oh, and by the way, I'm more than happy to help with some of this
> myself if
> I get edit access to the Wiki.
> 

That is easy, just follow the process and you can edit the wiki.

Rowland





More information about the samba mailing list