[Samba] use of =?utf-8?Q?=E2=80=98idmap=5Fldb=3Ause_?=rfc2307 =?utf-8?Q?=3D_yes=E2=80=99_?=in DCs
Luis Peromarta
lperoma at icloud.com
Tue Jun 11 14:51:46 UTC 2024
All,
In the past few days I have been experimenting with the mappings in Samba servers. Today is the DC day.
Procedure:
In my setup, I provisioned with rfc2307 schema. In fairness everyone should, as it’s free, and you can later use it or not.
'idmap_ldb:use rfc2307 = yes' is in the smb.conf , it’s there by default when the domain is provisioned with rfc2307 - this reads gidNumbers and uidNumbers for users from the rfc2307 attributes supplied when creating users and groups.
I have created a couple of users and groups, ‘Unix Admins’ group (10007) who is a member of ‘Domain Admins’ and ‘Luis’ user (10005) , member of ‘Unix Admins'
As per the generally accepted rule, ‘Domain Amins’ have no gidNumber given, not to conflict with internal idmap for ‘Domain Admins’ mapping, being a 'ID_TYPE_BOTH’ , meaning it’s a user and a group. So far so good.
root at dc1:~# wbinfo --uid-info 3000005
MAD\domain admins:*:3000005:3000005::/home/MAD/domain admins:/bin/false
root at dc1:~# wbinfo --gid-info 3000005
MAD\domain admins:x:3000005:
I have created a test GPO, run 'if ! samba-tool ntacl sysvolcheck; then samba-tool ntacl sysvolreset; fi’ - initially permissions wrong as expected and then corrected. All looking OK.
root at dc1:/var/lib/samba/sysvol/mad.caponato.es/Policies# ll
8.0K drwxrwx---+ 4 MAD\domain admins MAD\domain admins 4.0K Jun 11 15:17 {AE31896B-7228-4830-A7C7-A948B14C918A}
I create a test file in /root/ as follows, and check for ownership:
touch test
chown Luis:’Unix Admins' test
root at dc1:~# ll | grep test
0 -rw-r--r-- 1 MAD\luis MAD\unix admins 0 Jun 11 14:13 test
root at dc1:~# ll -n | grep test
0 -rw-r--r-- 1 10005 10007 0 Jun 11 14:13 test
We see uid 10005 and gid 10007, ‘luis’ and ‘Unix Admins’ respectively from the rfc2307 attributes. Correct.
root at dc1:~# wbinfo --gid-info 10007
MAD\unix admins:x:10007:
root at dc1:~# wbinfo --uid-info 10005
MAD\luis:*:10005:10000::/home/MAD/luis:/bin/false
All working as expected.
** Now let’s remove 'idmap_ldb:use rfc2307 = yes’ from smb.conf and reboot**
The file /root/test can not be mapped to a user, as expected.
root at dc1:~# ll | grep test
0 -rw-r--r-- 1 10005 10007 0 Jun 11 14:13 test
Lets re-assign it.
chown Luis:’Unix Admins' test
root at dc1:~# ll | grep test
0 -rw-r--r-- 1 MAD\luis MAD\unix admins 0 Jun 11 14:13 test
root at dc1:~# ll -n | grep test
0 -rw-r--r-- 1 3000028 3000454 0 Jun 11 14:13 test
Again, as expected, we are going uid and gid in the 3000000+ range from the internal tdb. IDs are different to any member server with RID or AD mapping, so what ? If RID is used in other member servers, we will have different mappings for the members and the DCs anyway.
So, question number 1, is idmap_ldb:use rfc2307 = yes required for a DC that shares no files except sysvol ? I’d say no.
Question number 2, now that the DC is not reading from rfc2307, why can’t I assign Domain Admins a gidNumber ? The DC is not going to know about it. Right ?
At this stage, I am going to assign ‘Domain Admins’ a gid Number and check. (gidNumber 10100)
if ! samba-tool ntacl sysvolcheck; then samba-tool ntacl sysvolreset; fi
This report no errors. All look exactly the same as before.
One more for the road. I am going to add back 'idmap_ldb:use rfc2307 = yes’.
root at dc1:~# wbinfo --gid-info 3000005
MAD\domain admins:x:3000005:
root at dc1:~# wbinfo --uid-info 3000005
MAD\domain admins:*:3000005:3000005::/home/MAD/domain admins:/bin/false
My old test file:
chown luis:'Domain Admins' test
root at dc1:~# ll | grep test
0 -rw-r--r-- 1 MAD\luis MAD\domain admins 0 Jun 11 14:13 test
root at dc1:~# ll -n | grep test
0 -rw-r--r-- 1 3000028 3000005 0 Jun 11 14:13 test
Strange, now the DC is not reading from rfc2307 by default (not even for the user luis), it is still using internal idmap. Have I done something wrong ? However it accepts both internal and rfc2307 uids.
root at dc1:~# wbinfo --uid-info 3000028
MAD\luis:*:10005:10000::/home/MAD/luis:/bin/false
root at dc1:~# wbinfo --uid-info 10005
MAD\luis:*:10005:10000::/home/MAD/luis:/bin/false
I am confused. Again.
Thank you for your inputs. And sorry for the long email.
LP
More information about the samba
mailing list