[Samba] samba idmap mystery

Rowland Penny rpenny at samba.org
Wed Feb 22 09:57:19 UTC 2023 


First: NEVER 'CC' ME

On 22/02/2023 09:31, d tbsky wrote:
> Rowland Penny via samba <samba at lists.samba.org>
>>>       recently I need to create a guest share to host computer group
>>> policy resource. I tried but failed and found that recent win10
>>> enterprise/win11 deny guest share access by default. so I think maybe
>>> I can loosen samba configuration.
>>
>> Why would you think that ?
>> If you need guest access, then you need to turn it back on, on the
>> Windows clients.
> 
> I don't want to fight with windows default if possible. and domain
> computers are not really unknown guests,
> I just didn't give them rfc2307 uid before. I want to make a read only
> share for domain computers with minimal effort if possible.
> 
>>> my original idmap config at file server looks like:
>>>
>>> iidmap config *:backend = tdb
>>> idmap config *:range = 1000000-1999999
>>> idmap config SAMDOM:backend = ad
>>> idmap config SAMDOM:schema_mode = rfc2307
>>> idmap config SAMDOM:range = 1000-999999
>>>
>>> I comment out last line "idmap config SAMDOM:range = 1000-999999" and
>>
>> What was your reasoning for doing that ?
>> What did you hope to achieve ?
> 
> I hope samba would use rfc2307 uid if the account has the setting,
> otherwize use dynamic id.
> so a normal user account would has rfc2307 uid, but a machine account
> will use dynamic id.
> It seems like just my dream.

Sounds more like a nightmare.

A computer in AD is just a user with an extra objectclass, which is why 
you can give it a uidNumber.

By removing the 'range' line, you turned the 'ad' idmapping off for the 
'SAMDOM' domain, this meant that everything fell back onto the default 
domain.

> 
>>
>>> restart samba. "getent passwd" return all the domain accounts with or
>>> without rfc2307 settings.  "id machine$" also works and my computer
>>> group policy can read the share resource correctly.
>>
>> Now if you did restart Samba, this should have cleared the winbind
>> cache, unless, is nscd also running ? If it is, I suggest you remove it,
>> you cannot have two caches.
> 
> no I don't have nscd installed or running.

Well, there must have been some form of cache somewhere.

> 
>>> so I revert my configuration and restart smbd/winbind. but "id xxxx"
>>> or "getent passwd xxxx" is still "1000010". I try add "winbind cache
>>> time=1","idmap cache time=1","idmap negative cache time=1", also I try
>>> delete
>>> "/var/lib/samba/winbindd_cache.tdb" and
>>> "/var/lib/samba/winbindd_cache.tdb" and restart winbind/smbd but still
>>> can not get rid of the dynamic user id "1000010".
>>
>> It looks more and more like nscd is running.
> 
> no I don't have nscd running. In fact these years when idmap was
> missing or incorrect (getent passwd xxxx, id xxxx),
> I have no way to make it appear/correct again unless a re-logon
> windows machine accesses the file server.
> The id mappings are always working for several years, so I almost
> forgot the incorrect/missing situation.

If everything was running okay, why change it ?

> 
>> No, or no Unix domain member would work. What you are describing as
>> 'dynamic id mapping' is the default domain '*' which uses the tdb idmap
>> backend and this allocates Unix ID's for the BUILTIN domain and anything
>> that isn't in the 'SAMDOM' domain, by removing the line, you put
>> everything into the default domain.
>>
> 
> I think that's the truth. I didn't realize the full detail of the
> configuration. Now I understand.
> Thanks a lot for the clarification.
> 
>> The only mysteries here are, why did you remove the line and is nscd
>> running ?
> 
> because I was too lazy to add rfc2307 uid to machine accounts.

Why do you need to do that, for most things on Linux, computers are 
identified by their hostname. If you are going to add uidNumber 
attributes to computers, then also give the Domain Computers group a 
gidNumber.

Rowland

More information about the samba mailing list