Web lists-archives.com

Re: [Samba] Avoiding uid conflicts between rfc2307 user/groups and computers




Hello,
I understand the OP, I was asking some time ago similar question, but it was in relation to samba domain member. I couldn't get backend: ad to work for machine accounts, so i switched to idmap: rid and it solved everything. I tried manually adding UID and GID to Domain Computer group and to machine accounts, but it didn't seem to work properly, so I gave up especially that RID was perfectly fine.

On samba AD DC idmapping is done automatically, that is if no UID/GID value is present in AD via RFC2307. I've noticed that samba by default assigns UID/GID from 300000 and just increments +1, and by default when setting

rfc2307 start form 10000, so within single DC there should be no problem unless you'll somehow manage to reach from 10000 to 300000 users.

The issue is keeping it in sync between multiple DC's (I ran into this issue some time ago). It might screw up Sysvol NT ACL if machine account receives different UID.

In my case I rarely use specific machine accounts in ACL for GPO's. And if a mix happens I would re-sync idmap.ldb.

I hope it helps.


W dniu 2018-01-15 o 15:05, Rowland Penny via samba pisze:
On Mon, 15 Jan 2018 14:55:55 +0100
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

Mandi! L.P.H. van Belle via samba
   In chel di` si favelave...

It is not the SYSTEM user (that is a local user to the
workstation, so clearly does not exist on the domain).
Yes it does. Look at "Builtin\system"  which is also "NT
Authority\System.
Ahem, clearly every machine (workstation, server; i suppose also the
domain) have a SYSTEM account, but they are ''different'':
MY_SERVER\SYSTEM, MY_DOMAIN\SYSTEM and KAIN\SYSTEM are different
account, and i think have not to be mapped each other...


But still windows workstation, when accessing some shares with the
SYSTEM user, try to logon with the machine account.
Correct, thats by design, and if you get access denied, you did hit
the "winbind" "user SYSTEM" bug(s). Fix, use acl_xattr:ignore
system acl = yes for now.
?! Reading the manpage:

        acl_xattr:ignore system acls = [yes|no]
            When set to yes, a best effort mapping from/to the POSIX
ACL layer will not be done by this module. The default is no, which
means that Samba keeps setting and evaluating both the system ACLs
and the NT ACLs. This is better if you need your system ACLs be set
for local or NFS file access, too. If you only access the data via
Samba you might set this to yes to achieve better NT ACL
compatibility.

seems me unrelated.

What i'm speaking about is that, in Microsoft Server OS (and i suppose
on Samba too ;) access done by local SYSTEM user to a share, trigger
access via the respective machine account.
Some docs corroborate this:

	https://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx
	The LocalSystem account is a predefined local account used by
	the service control manager. [...]
	It has extensive privileges on the local computer, and acts as
	the computer on the network.

	https://msdn.microsoft.com/en-us/library/ms677973(VS.85).aspx
	When a service runs under the LocalSystem account on a
computer that is a domain member, the service has whatever network
access is granted to the computer account, or to any groups of which
the computer account is a member.

So, on samba, it is not (only) a matter of ACL: machine account have
to had an UID, to write (or read also...) to a share!


Probably i'm missing somethin really ''basic'', but seems obvious to
me... if i use rfc2307, in a domain member (if i use RID backend, or
if i'm in a domain controller, some sort of automatic mapping is in
place...) the only way to have non-anonymous access to shares by
local workstation SYSTEM account is to add UID to machine account...


If KAIN$ account have no UID (and 'Domain Computers' have no GID),
clearly share acess fail.
No, the computer uses system, but if you test manualy it sets the
computername.
No, sorry i've not understood what you mean...

'SYSTEM' is a windows account, there is no concept of the 'SYSTEM'
account on Unix, this includes Samba.

Please read this:

https://wiki.samba.org/index.php/The_SYSTEM_Account

Rowland


--

Z poważaniem,
Kacper Wirski
tel. +48 608 421 424


tel:   + 48 22 637 50 01
fax:   + 48 22 637 50 04

Babka Medica Spółka z ograniczoną odpowiedzialnością Spółka komandytowa
ul. Słomińskiego 19 lok.517, 00-195 Warszawa
Sąd Rejonowy dla M.St. Warszawy w Warszawie  XII Wydział Gospodarczy KRS 0000491764
NIP 525-234-00-28

www.babkamedica.pl <http://www.babkamedica.pl/>


----------------------------------------------------------------------------

Informacja zawarta w niniejszej korespondencji jest poufna. Korespondencja
skierowana jest wyłącznie do osoby (firmy) wymienionej wyżej.
Rozpowszechnianie, kopiowanie, ujawnianie lub przekazywanie osobom trzecim w
jakiejkolwiek formie informacji zawartych w niniejszym dokumencie w całości
lub w części jest zakazane bez uprzedniej pisemnej (pod rygorem nieważności)
zgody Babka Medica Sp. z o.o. Sp. k.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba