[Samba] Samba AD-DC using existing user IDs for new machine accounts - idmap.ldb xidNumber

[Rowland Penny]

On Wed, 2022-06-08 at 14:05 +0000, akanator111-smba--- via samba wrote:
> I have an existing NFS share with data from many linux only user
> accounts. Those accounts were all in the 500-1000 user ID range. Now
> I've tried setting up Samba as an AD-DC and mapping the new users
> created there to their old user IDs so they have access to their
> files.

Not a good idea to use a DC as a fileserver.
> 
> To map those user IDs, I first create a new user on the AD-DC and
> then edit the idmap.ldb via:

BAD idea, if you add another DC (which is highly recommended), your
users will all get another ID and they will be in a different order,
because they are created in idmap.ldb based on the order they connect.

> ldbedit -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-19...
> ... and set the xidNumber to their previous linux user ID. This works
> fine so far. Files are now owned by the Samba AD user.

Still not a good idea.

> 
> Now the problem comes when I'm adding more machines to my AD domain.
> Samba seemingly gives out IDs for those machine accounts (hostname$)
> without checking if the ID is already in use by a user account,
> leading to files suddenly being owned by "hostname$" instead of the
> user. Manually changing the machineaccount xidNumber to something
> else fixes the problem for the moment, but as soon as new hosts join
> the AD, I can be almost sure it'll chose a user ID out of my user ID
> range (<1000), messing everything up again.

To be honest, using such low IDs was never a good idea and it is now
coming home to roost.

> 
> Does anyone have an idea on how to do this better? Maybe I can
> configure the range for new user/machine IDs somewhere so it does not
> intersect with my user ID range?

Use uidNumber and gidNumber attributes and then the idmap_ad winbind
backend on the Unix domain member I suggest you create.

Rowland