[Samba] id mapping
Rowland Penny
rpenny at samba.org
Sun Sep 19 18:51:17 UTC 2021
On Sun, 2021-09-19 at 13:16 -0500, Patrick Goetz via samba wrote:
> Hi -
>
> This question is with reference to:
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> I think I know how this works, but there are still points of
> confusion.
> Given the example smb.conf file provided on the page referenced
> above:
>
> [global] section of smb.conf:
> -------------------------------------
> security = ADS
> workgroup = SAMDOM
> realm = SAMDOM.EXAMPLE.COM
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-999999
> idmap config SAMDOM:unix_nss_info = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> -------------------------------------
>
> I believe "Default domain" is a bit of a misnomer referring to
> accounts
> that are identified by nss before it gets to winbind or sssd;
You cannot use sssd with Samba.
> i.e.
> accounts found in /etc/passwd.
No, they are for the AD BUILTIN domain and are not in etc/passwd or
/etc/group
> So on this system (assuming no other
> directory services are configured), UIDs 3000-7999 are available for
> use
> in /etc/passwd.
No, you cannot use that range in /etc/passwd or /etc/group
> What I don't understand is why you're assigning a tdb
> backend to this when the authentication is going to be handled by
> pam_unix rather than pam_windbind. That's the main point of
> confusion.
That it is where your confusion starts, the ranges set in smb.conf are
not handled by pam_unix, they are handled by pam_winbind or pam_krb5
>
>
> Second, I'm assuming these 2 lines:
>
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-999999
>
> Refer to the values that can be set for the uidNumber attribute in
> the
> Active Directory database and further that users authenticating on
> this
> linux system will have the UIDs and GIDs specified in the uidNumber
> and
> gidNumber attributes associated with their user record.
Yes, but whilst the users & groups are authenticated by Samba AD, they
are also Unix users & groups
>
> It seems like you don't necessarily need:
>
> idmap config SAMDOM:unix_nss_info = yes
You only require this setting if you want to use a specific login shell
& home directory per user
>
> if everyone uses the same default shell and has the same home
> directory
> path; i.e. if these can be set using a global template.
>
> Based on the correctness of the above,
I think you may need to rethink your ranges etc. Also are you aware
that Samba has a way to upgrade an NT4-style domain to an AD domain ?
> I"m converting a small NT domain
> to Active Directory (by hand). The environment has several linux
> machines with local UIDs assigned in the 1001-2000 range (but with
> the
> UIDs the same across the linux hosts). Since I don't plan to bind
> most
> of the linux machines to the domain (there is a vague user-driven
> business case for this),
I would rethink this, it is always better to join machines to the
domain.
> I would like the authorization to work the same
> for Samba shares to AD bound Windows machines and the standalone
> linux
> workstations,
Good luck with that, it is probably impossible to get the same numeric
ID's on unjoined machines.
> since these systems mount the same remote filesystems via
> either SMB or NFS in the case of the linux systems. So my thought is
> to
> do something like this:
>
> portion of [global] section of smb.conf
> -------------------------------------
> idmap config * : backend = tdb
> idmap config * : range = 2000-2999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 1001-1999
That will allow you ONE local Unix user and 1998 AD Unix users
I wouldn't recommended it.
> -------------------------------------
>
> Again, very unclear why I'm configuring a tdb database for local
> accounts, if my understanding of how this works is correct.
You aren't and, unfortunately, it appears you do not understand how it
works.
> This would
> reserve the UIDs 2000-2999 for potential local use, while creating an
> AD
> UID mapping that seamlessly works with the existing linux systems.
> Then
> if I do end up binding some of these linux machines to the domain,
> everything just works with no acl mapping, or anything like this.
If you are using the winbind 'ad' backend, then there is no acl
mapping.
>
> Any thoughts? Am I confused about how this works? My understanding
> of
> how the default domain works is based on this RHEL article:
> https://access.redhat.com/solutions/1984483
>
Try reading our documentation:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_ad
If you still do not understand something, please ask.
I personally would ignore what you have now and set up a new AD domain
and wouldn't use standalone servers, I would join everything to the
domain.
Rowland
More information about the samba
mailing list