[Samba] id mapping

Rowland Penny rpenny at samba.org
Thu Sep 23 19:39:23 UTC 2021 

On Thu, 2021-09-23 at 13:50 -0500, Patrick Goetz via samba wrote:
> Finally getting back to this.
> 
> On 9/19/21 13:51, Rowland Penny via samba wrote:
> > On Sun, 2021-09-19 at 13:16 -0500, Patrick Goetz via samba wrote:
> > > Hi -
> > > 
> > > This question is with reference to:
> > >    https://wiki.samba.org/index.php/Idmap_config_ad
> > > 
> > > I think I know how this works, but there are still points of
> > > confusion.
> > > Given the example smb.conf file provided on the page referenced
> > > above:
> > > 
> > > [global] section of smb.conf:
> > > -------------------------------------
> > >     security = ADS
> > >     workgroup = SAMDOM
> > >     realm = SAMDOM.EXAMPLE.COM
> > > 
> > >     log file = /var/log/samba/%m.log
> > >     log level = 1
> > > 
> > >     # Default ID mapping configuration for local BUILTIN accounts
> > >     # and groups on a domain member. The default (*) domain:
> > >     # - must not overlap with any domain ID mapping
> > > configuration!
> > >     # - must use a read-write-enabled back end, such as tdb.
> > >     idmap config * : backend = tdb
> > >     idmap config * : range = 3000-7999
> > >     # - You must set a DOMAIN backend configuration
> > >     # idmap config for the SAMDOM domain
> > >     idmap config SAMDOM:backend = ad
> > >     idmap config SAMDOM:schema_mode = rfc2307
> > >     idmap config SAMDOM:range = 10000-999999
> > >     idmap config SAMDOM:unix_nss_info = yes
> > > 
> > >     vfs objects = acl_xattr
> > >     map acl inherit = yes
> > >     store dos attributes = yes
> > > -------------------------------------
> > > 
> > > I believe "Default domain" is a bit of a misnomer referring to
> > > accounts
> > > that are identified by nss before it gets to winbind or sssd;
> > 
> > You cannot use sssd with Samba.
> > 
> > >   i.e.
> > > accounts found in /etc/passwd.
> > 
> > No, they are for the AD BUILTIN domain and are not in etc/passwd or
> > /etc/group
> > 
> > > So on this system (assuming no other
> > > directory services are configured), UIDs 3000-7999 are available
> > > for
> > > use
> > > in /etc/passwd.
> > 
> > No, you cannot use that range in /etc/passwd or /etc/group
> > 
> > > What I don't understand is why you're assigning a tdb
> > > backend to this when the authentication is going to be handled by
> > > pam_unix rather than pam_windbind.  That's the main point of
> > > confusion.
> > 
> > That it is where your confusion starts, the ranges set in smb.conf
> > are
> > not handled by pam_unix, they are handled by pam_winbind or
> > pam_krb5
> > 
> 
> Yes, I'm confused, but mainly because I don't understand the purpose
> of 
> the default BUILTIN domain. The domain we're configuring in the 
> documentation is SAMDOM -- what is the default domain for?

The default domain (*) is meant for the Well Known SID's (see here 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
) and anything outside the 'DOMAIN' domain (trusted domains etc)

> 
> 
> > > 
> > > Second, I'm assuming these 2 lines:
> > > 
> > >     idmap config SAMDOM:schema_mode = rfc2307
> > >     idmap config SAMDOM:range = 10000-999999
> > > 
> > > Refer to the values that can be set for the uidNumber attribute
> > > in
> > > the
> > > Active Directory database and further that users authenticating
> > > on
> > > this
> > > linux system will have the UIDs and GIDs specified in
> > > thedesicion uidNumber
> > > and
> > > gidNumber attributes associated with their user record.
> > 
> > Yes, but whilst the users & groups are authenticated by Samba AD,
> > they
> > are also Unix users & groups
> > 
> > > It seems like you don't necessarily need:
> > > 
> > >     idmap config SAMDOM:unix_nss_info = yes
> > 
> > You only require this setting if you want to use a specific login
> > shell
> > & home directory per user
> >   
> > > if everyone uses the same default shell and has the same home
> > > directory
> > > path; i.e. if these can be set using a global template.
> > > 
> > > Based on the correctness of the above,
> > 
> > I think you may need to rethink your ranges etc. Also are you aware
> > that Samba has a way to upgrade an NT4-style domain to an AD domain
> > ?
> > 
> > >   I"m converting a small NT domain
> > > to Active Directory (by hand).  The environment has several linux
> > > machines with local UIDs assigned in the 1001-2000 range (but
> > > with
> > > the
> > > UIDs the same across the linux hosts).  Since I don't plan to
> > > bind
> > > most
> > > of the linux machines to the domain (there is a vague user-driven
> > > business case for this),
> > 
> > I would rethink this, it is always better to join machines to the
> > domain.
> > 
> > > I would like the authorization to work the same
> > > for Samba shares to AD bound Windows machines and the standalone
> > > linux
> > > workstations,
> > 
> > Good luck with that, it is probably impossible to get the same
> > numeric
> > ID's on unjoined machines.
> 
> You've convinced me I need to bind all machines (including the linux 
> machines) to the domain, but then I don't really see the point of
> using 
> RFC 2307 extensions. The AD server will equate the user's SID with
> their 
> UID regardless of what the UID is, and all users have an assigned
> UID 
> based on the id mapping, whatever it is. I guess if you already have
> a 
> large filesystem with legacy POSIX permissions, using RFC 2307
> prevents 
> you from having to re-assign all the permissions. In the absence of
> that 
> concern, and in the case of a single domain with Samba AD I would 
> probably just use UID=RID, which I think is one of the options.

You only need the rfc2307 attributes if you want your Unix users to
have different login shells and home directories. If you are happy for
your users to all have the same login shells (/bin/bash for instance)
and the same home directories (/home/SAMDOM/username), you can use the
'rid' or autorid' winbind backend, these use the AD RID to calculate
the user or group Unix ID, read 'man idmap_rid' and 'man idmap_autorid'
for more information.

> 
> However, I'm not seeing why this wouldn't work: User foobar has the 
> UID/GID 1517 on an unaffiliated linux host. So in AD, I set the 
> uidNumber and gidNumber for UserName foobar to 1517.  Presumably the 
> owner UID for any files on the Samba file server for AD user foobar 
> would be 1517, so an NFS mount using sec=sys to the linux machine
> would 
> have the right permissions. If they log in to a Windows client, the
> SID 
> would be equated to UID 1517 by the DC and permissions on the Samba 
> share to the Windows client would work, too. (Yes, of course this
> would 
> turn into a maintenance headache, which is why you've convinced me
> to 
> bind everything to the domain.) I'm pushing back on the "impossible"
> claim.

Looking at how the 'rid' backend works, it uses this formula:

ID = RID - BASE_RID + LOW_RANGE_ID

The Base_RID is 0 by default, so it becomes:

ID = RID + LOW_RANGE_ID

>From that, I hope you can see that it is unlikely you will get '1517'
for the ID. you would need this user to be the first user you create
and the the DOMAIN range would need to be set to something like 517-
999999, which would lead to:

1517 = 1000 + 517

'autorid' uses a slightly different formula, but works in the same way.

Rowland

More information about the samba mailing list