[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Rowland Penny rpenny at samba.org
Tue Jun 11 15:55:57 UTC 2024 

On Tue, 11 Jun 2024 15:51:46 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:

> All,
> 
> In the past few days I have been experimenting with the mappings in
> Samba servers. Today is the DC day.
> 
> Procedure:
> 
> In my setup, I provisioned with rfc2307 schema. In fairness everyone
> should, as it’s free, and you can later use it or not.

No, you didn't, you might have thought you did, but you didn't, all the
rfc2307 attributes are part of the standard schema. You actually will
have provisioned with '--use-rfc2307', What this actually added to
Samba AD was the ypServ30.ldif (which is the basic OUs etc required by
IDMU) and ‘idmap_ldb:use rfc2307  = yes’ to the first DCs smb.conf
(note: it isn't added when you join other DCs, you have to manually add
it).

Now with this setup, if you add uidNumber & gidNumber attributes, then they will be used on the DC instead of the normal '3000000' range of numbers, but if you don't add any uidNumber & gidNumber attributes, nothing will happen, it will be as if you never set --use-rfc2307. Also, if you remove ‘idmap_ldb:use rfc2307  = yes’ from a DC, it will revert to using the '3000000' numbers even if there are rfc2307 attributes in AD.
 
> 
> 'idmap_ldb:use rfc2307 = yes' is in the smb.conf , it’s there by
> default when the domain is provisioned with rfc2307 - this reads
> gidNumbers and uidNumbers for users from the rfc2307 attributes
> supplied when creating users and groups.
> 
> I have created a couple of users and groups, ‘Unix Admins’ group
> (10007) who is a member of ‘Domain Admins’ and ‘Luis’ user (10005) ,
> member of ‘Unix Admins'
> 
> As per the generally accepted rule, ‘Domain Amins’ have no gidNumber
> given, not to conflict with internal idmap for ‘Domain Admins’
> mapping, being a 'ID_TYPE_BOTH’ , meaning it’s a user and a group. So
> far so good.
> 
> root at dc1:~# wbinfo --uid-info 3000005
> MAD\domain admins:*:3000005:3000005::/home/MAD/domain
> admins:/bin/false
> 
> root at dc1:~# wbinfo --gid-info 3000005
> MAD\domain admins:x:3000005:
> 
> I have created a test GPO, run 'if ! samba-tool ntacl sysvolcheck;
> then samba-tool ntacl sysvolreset; fi’ -  initially permissions wrong
> as expected and then corrected. All looking OK.
> 
> root at dc1:/var/lib/samba/sysvol/mad.caponato.es/Policies# ll
> 8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Jun
> 11 15:17 {AE31896B-7228-4830-A7C7-A948B14C918A}
> 
> I create a test file in /root/ as follows, and check for ownership:
> 
> touch test
> chown Luis:’Unix Admins' test
> 
> root at dc1:~# ll | grep test
>    0 -rw-r--r--  1 MAD\luis MAD\unix admins    0 Jun 11 14:13 test
> 
> root at dc1:~# ll -n | grep test
>    0 -rw-r--r--  1 10005 10007    0 Jun 11 14:13 test
> 
> We see uid 10005 and gid 10007, ‘luis’ and ‘Unix Admins’ respectively
> from the rfc2307 attributes. Correct.
> 
> root at dc1:~# wbinfo --gid-info 10007
> MAD\unix admins:x:10007:
> 
> root at dc1:~# wbinfo --uid-info 10005
> MAD\luis:*:10005:10000::/home/MAD/luis:/bin/false
> 
> 
> All working as expected.
> 
> 
> ** Now let’s remove 'idmap_ldb:use rfc2307 = yes’ from smb.conf and
> reboot**
> 
> The file  /root/test can not be mapped to a user, as expected.
> 
> root at dc1:~# ll  | grep test
>    0 -rw-r--r--  1 10005 10007    0 Jun 11 14:13 test

That is because Linux has retained the Unix IDs it had, but can no
longer map them to anything, they are not in idmap.ldb

> 
> Lets re-assign it.
> 
> chown Luis:’Unix Admins' test
> 
> root at dc1:~# ll  | grep test
>    0 -rw-r--r--  1 MAD\luis MAD\unix admins    0 Jun 11 14:13 test
> 
> root at dc1:~# ll -n | grep test
>    0 -rw-r--r--  1 3000028 3000454    0 Jun 11 14:13 test
> 
> Again, as expected, we are going uid and gid in the 3000000+ range
> from the internal tdb. IDs are different to any member server with
> RID or AD mapping, so what ? If RID is used in other member servers,
> we will have different mappings for the members and the DCs anyway.
> 
> So, question number 1, is idmap_ldb:use rfc2307 = yes required for a
> DC that shares no files except sysvol ? I’d say no.

It isn't even required for SYSVOL

> 
> Question number 2, now that the DC is not reading from rfc2307, why
> can’t I assign Domain Admins a gidNumber ? The DC is not going to
> know about it. Right ?

You could actually, but then you must never set 'idmap_ldb:use rfc2307
= yes' on any DC. It is mutually exclusive, you either don't give
Domain Admins a gidnumber and use 'idmap_ldb:use rfc2307 = yes' on DCs
or you don't use 'idmap_ldb:use rfc2307 = yes' on DCs and give Domain
Admins' a gidNumber.

Rowland

More information about the samba mailing list