[Samba] xidNumber and gidNumber

Kees van Vloten keesvanvloten at gmail.com
Fri Sep 8 14:03:28 UTC 2023

On 08-09-2023 14:27, Rowland Penny via samba wrote:
> On Fri, 8 Sep 2023 12:43:13 +0200
> Kees van Vloten via samba<samba at lists.samba.org>  wrote:
>> Hi Rowland,
>> The other day you touched an interesting topic along the lines.
>> I have been assigning the default AD groups (all of them) such as
>> 'domain admins' and 'domain users' a gidNumber on my domains.
>> I am using rfc2307 everywhere, which is reflected by 'idmap config
>> <domain>:backend = ad' and 'idmap config <domain>:schema_mode =
>> rfc2307'  on member-servers.
> Which is the only way to get the same IDs everywhere, but do you need
> to ?
> If you use the 'rid' idmap backend and use the same basic smb.conf file
> on all Unix domain members, you will get the same Unix IDs on all, but
> it will be different from the 3000000 range xidNumbers found on DCs and
> as you are only supposed to use the DCs for authentication, does this
> matter ?
> What may matter more, are the shell and home directories, but again,
> you are more likely to set these on a machine basis anyway.
>> Until yesterday there was 'idmap_ldb:use rfc2307 = yes' on the DCs,
>> but as you correctly pointed out that makes the id resolving
>> dependent on the state of winbind's cache and if wrong sysvol is
>> broken.
> Using 'idmap_ldb:use rfc2307 = yes' on a DC (and you can only use it on
> a DC) means that idmap_ldb will use any uidNumber and gidNumber
> attributes found in AD. This does not mean that these attributes will
> be used on Unix domain members, you would still have to configure the
> smb.conf to use them and configure it correctly.
> The winbind cache will cache whatever is being used, be that only
> xidNumbers, uidNumbers & gidNumbers, or a mixture of the two, it is
> also independent of the backend.
>> Fortunately I never had that issue but it is very dangerous.
>> The option 'idmap_ldb:use rfc2307 = yes' gets added automatically
>> when you provision with '--use-rfc2307', so it needs explicit
>> removal, good to know, thanks!
> I seem to remember that there is a bug report about this, but if you
> are using the 'ad' idmap backend on Unix domain members and wish to
> have the same IDs everywhere, you need it. The problem starts, if you
> have that parameter, and you give all the default Windows users
> and groups a Unix ID, most of these users and groups are never used on
> Samba, so it doesn't make much sense to give them a Unix ID.
>> On the DCs (and only there) the default AD groups normally resolve to
>> their xidNumber and rightfully so. With backend=ad they will *not*
>> resolve to anything on member-servers if gidNumber is not set. That
>> in turn is a problem for example with permissions on file-shares (as
>> I want to grant permissions to 'domain users'), so I do want those
>> groups to resolve to a gid on member-servers.
> If you do not use:
> idmap config SAMDOM:unix_primary_group = yes
> in smb.conf with the 'ad' idmap backend, then you must give Domain
> Users a gidNumber and that gidNumber must be inside the DOMAIN range
> set in your smb.conf. If you do use that line, then whatever group the
> user will use as their primary group must have a gidNumber and the user
> must also have the same gidNumber.
>> At the moment I assign them free gidNumbers from the designated
>> range. As a result the gid on member-servers differs from the one
>> (xidNumber) on the DCs. I have not had any troubles with that
>> difference but I would think it is undesirable.
> That would all depend on how Samba is configured.

On the DCs I have no longer any idmap entries in smb.conf. But the DC is 
only accessed over the wire: smb (sysvol/netlogon/dfs-root only), ldap, 
kerberos, rpc etc. so the actual number returned by the internal 
resolving is not really important.

On the member-servers I configured:

idmap config samdom:backend = ad
idmap config samdom:schema_mode = rfc2307
idmap config samdom:unix_primary_group = yes
idmap config samdom:unix_nss_info = yes
idmap config samdom:range = 1001-100000
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind cache time = 300
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum groups = no
winbind enum users = no
winbind nested groups = yes
winbind expand groups = 10
winbind normalize names = no
winbind refresh tickets = yes
winbind scan trusted domains = no
winbind use default domain = yes
winbind request timeout = 10

I am aware that range starting at 1001 is very low but it is a 
deliberate choice here.

The reasons to use rfc2307 instead of an automatic id-mapping are:

  * there are migrated pre-samba4 users on some domains (that is why I
    have to allow the range starts at 1001, but then again there are no
    local users, except for uid=1000), so these have a traditional
    uid/gid which is now available through uidNumber and gidNumber
  * some domains are also using nfs so the filesystem uid/gid is exposed
    over the wire and should always match with winbind (to prevent
    issues with nfs + smb the shares are different dir-trees on the server)
  * changing the id-mapping backend is nearly impossible as file
    ownerships are lost or at least need some kind of tricky renumbering

I am very much tempted to make gidNumber of default AD groups equal to 
xidNumber, so that I will not run into troubles when winbind will be 
able to use those xidNumbers on member-servers at some point in the future.

>> The easiest way to make them identical would be for Samba to present
>> the xidNumbers over the wire to member-servers, but I guess no such
>> option exists. Another way of getting it done is for my script to
>> lookup gid (xidNumber) on the DC and put it in the gidNumber of that
>> group.
> The problem is that a DC can only use idmap_ldb (at present, who knows
> what could happen in the future ?) and Unix domain members, from the
> long list of idmap backends, cannot.
>> What are your thoughts on this topic? Make them identical, better not
>> do that or perhaps it does not matter at all?
> As I say above, if all you are using a DC for is authentication, dns
> and GPOs, then you do not need to use anything but xidNumbers.
> Rowland

More information about the samba mailing list