Web lists-archives.com

Re: [Samba] Best way to generate Unix UIDs and GIDs?




Le 14/01/2018 à 15:51, Rowland Penny via samba a écrit :
> On Sun, 14 Jan 2018 14:53:15 +0100
> Yvan Masson via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
>> Hi,
>>
>> For a new samba domain, I need to create users and groups with Unix
>> UIDs and GIDs.
>>
>> In the future, it is possible that there will be a trust with other
>> domains, so I need to take care that there won't be any UID/GID
>> conflict. Also, I assume that in the future Samba will be able to
>> restore deleted objects, so I need to avoid conflicts with those
>> objects as well.
>>
>> This makes me think that a good way would be to generate UIDs/GUIDs
>> from SID. I know SSSD does it (apparently not ensuring
>> consistency[1]), but I could not find a script that does only this.
>> However, I found this python script[2] which seems to be what
>> Centrify does.
>>
>> What do you think about all of this?
>>
>> Regards,
>> Yvan
>>
>> 1.
>> https://funinit.wordpress.com/2017/09/14/integrating-red-hat-with-active-directory/
>> 2. https://gist.github.com/msmorul/11217186
>>
> 
> Can I suggest you read this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> and this:
> 
> https://wiki.samba.org/index.php/Idmap_config_rid

I was thinking that a good practice would be to fill uidNumber and
guidNumber attributes in Samba AD, and that RID ID mapping would not be
adequate for many network. After reading this doc again, and making
apart home path, shell and gecos, it seems I was wrong and that using
rfc2307 is not worth the effort for many setups.
> 
> winbind will do what you require, I cannot comment on [1], sssd has
> NOTHING to do with Samba.

I know sssd has nothing to do with Samba, but it is usually Samba admin
that would add Unix UIDs/GIDs to AD, hence my question on this mailing list.

I also cannot recommend using [2], from
> examining the script, it would appear that it would be possible to get
> the same ID for two users from different domains e.g. if we take these
> two SID-RIDS:
> 
> S-1-5-21-1768301897-3342589593-1064908849-3601
> 
> S-1-5-21-2879412908-4453690604-1064908849-3601
> 
> It appears the script would take a portion of the end of the SID, add
> '0' the the RID, so they could be:
> 06490884903601
> and
> 06490884903601
> 
> How would Samba and Unix tell them apart ?
> Windows could tell the two SID-RIDs apart.

Thanks for spotting the weakness of this script.

Thus I believe a perfect solution to calculate UIDs/GIDs from SID does
not exist yet, or is not possible (no maths formula can ensure
uniqueness of Unix IDs from SIDs across domain).

Thanks,
Yvan


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba