[Samba] use of =?utf-8?Q?=E2=80=98idmap=5Fldb=3Ause_?=rfc2307 =?utf-8?Q?=3D_yes=E2=80=99_?=in DCs

Tue Jun 11 14:51:46 UTC 2024

All,

In the past few days I have been experimenting with the mappings in Samba servers. Today is the DC day.

Procedure:

In my setup, I provisioned with rfc2307 schema. In fairness everyone should, as it’s free, and you can later use it or not.

'idmap_ldb:use rfc2307 = yes' is in the smb.conf , it’s there by default when the domain is provisioned with rfc2307 - this reads gidNumbers and uidNumbers for users from the rfc2307 attributes supplied when creating users and groups.

I have created a couple of users and groups, ‘Unix Admins’ group (10007) who is a member of ‘Domain Admins’ and ‘Luis’ user (10005) , member of ‘Unix Admins'

As per the generally accepted rule, ‘Domain Amins’ have no gidNumber given, not to conflict with internal idmap for ‘Domain Admins’ mapping, being a 'ID_TYPE_BOTH’ , meaning it’s a user and a group. So far so good.

root at dc1:~# wbinfo --uid-info 3000005
MAD\domain admins:*:3000005:3000005::/home/MAD/domain admins:/bin/false

root at dc1:~# wbinfo --gid-info 3000005
MAD\domain admins:x:3000005:

I have created a test GPO, run 'if ! samba-tool ntacl sysvolcheck; then samba-tool ntacl sysvolreset; fi’ -  initially permissions wrong as expected and then corrected. All looking OK.

root at dc1:/var/lib/samba/sysvol/mad.caponato.es/Policies# ll
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Jun 11 15:17 {AE31896B-7228-4830-A7C7-A948B14C918A}

I create a test file in /root/ as follows, and check for ownership:

touch test
chown Luis:’Unix Admins' test

root at dc1:~# ll | grep test
   0 -rw-r--r--  1 MAD\luis MAD\unix admins    0 Jun 11 14:13 test

root at dc1:~# ll -n | grep test
   0 -rw-r--r--  1 10005 10007    0 Jun 11 14:13 test

We see uid 10005 and gid 10007, ‘luis’ and ‘Unix Admins’ respectively from the rfc2307 attributes. Correct.

root at dc1:~# wbinfo --gid-info 10007
MAD\unix admins:x:10007:

root at dc1:~# wbinfo --uid-info 10005
MAD\luis:*:10005:10000::/home/MAD/luis:/bin/false

All working as expected.

** Now let’s remove 'idmap_ldb:use rfc2307 = yes’ from smb.conf and reboot**

The file  /root/test can not be mapped to a user, as expected.

root at dc1:~# ll  | grep test
   0 -rw-r--r--  1 10005 10007    0 Jun 11 14:13 test

Lets re-assign it.

chown Luis:’Unix Admins' test

root at dc1:~# ll  | grep test
   0 -rw-r--r--  1 MAD\luis MAD\unix admins    0 Jun 11 14:13 test

root at dc1:~# ll -n | grep test
   0 -rw-r--r--  1 3000028 3000454    0 Jun 11 14:13 test

Again, as expected, we are going uid and gid in the 3000000+ range from the internal tdb. IDs are different to any member server with RID or AD mapping, so what ? If RID is used in other member servers, we will have different mappings for the members and the DCs anyway.

So, question number 1, is idmap_ldb:use rfc2307 = yes required for a DC that shares no files except sysvol ? I’d say no.

Question number 2, now that the DC is not reading from rfc2307, why can’t I assign Domain Admins a gidNumber ? The DC is not going to know about it. Right ?

At this stage, I am going to assign ‘Domain Admins’ a gid Number and check. (gidNumber 10100)

if ! samba-tool ntacl sysvolcheck; then samba-tool ntacl sysvolreset; fi

This report no errors. All look exactly the same as before.

One more for the road. I am going to add back 'idmap_ldb:use rfc2307 = yes’.

root at dc1:~# wbinfo --gid-info 3000005
MAD\domain admins:x:3000005:

root at dc1:~# wbinfo --uid-info 3000005
MAD\domain admins:*:3000005:3000005::/home/MAD/domain admins:/bin/false

My old test file:

chown luis:'Domain Admins' test

root at dc1:~# ll  | grep test
   0 -rw-r--r--  1 MAD\luis MAD\domain admins    0 Jun 11 14:13 test

root at dc1:~# ll -n | grep test
   0 -rw-r--r--  1 3000028 3000005    0 Jun 11 14:13 test

Strange, now the DC is not reading from rfc2307 by default (not even for the user luis), it is still using internal idmap. Have I done something wrong ? However it accepts both internal and rfc2307 uids.

root at dc1:~# wbinfo --uid-info 3000028
MAD\luis:*:10005:10000::/home/MAD/luis:/bin/false

root at dc1:~# wbinfo --uid-info 10005
MAD\luis:*:10005:10000::/home/MAD/luis:/bin/false

I am confused. Again.

Thank you for your inputs. And sorry for the long email.

LP