Web lists-archives.com

Re: [Samba] Avoiding uid conflicts between rfc2307 user/groups and computers




2018-01-15 20:14 GMT+01:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:
> On Mon, 15 Jan 2018 19:51:12 +0100
> Prunk Dump via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Thank again for your help !
>>
>> 2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny@xxxxxxxxx>:
>> > The problem is, you are thinking in the wrong direction ;-)
>> > If you give a user a uidNumber, or a group a gidNumber, these will
>> > be used instead of the xidNumbers found in idmap.ldb, you do not
>> > need to alter idmap.ldb at all.
>> > The way ADUC works, is by using a couple of attributes, that, by
>> > default Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
>> > 'msSFU30MaxGidNumber' and they hold the next uidNumber & gidNumber.
>> > They should be in:
>> > dn:
>> > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
>> >
>> > Where 'samdom' is your lowercase workgroup and
>> > 'DC=samdom,DC=example,DC=com' is your realm/dns domain.
>> >
>> > If you can write scripts, I am sure you can figure out how to use
>> > them ;-)
>> > If not, contact me off list and I will provide a sample.
>>
>> On my SAM database I have an CN=samdom,CN=ypservers entry :
>>
>> # ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
>> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
>> # record 1
>> dn:
>> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
>> objectClass: top objectClass: msSFU30DomainInfo
>> cn: fichnet
>> instanceType: 4
>> whenCreated: 20150630144502.0Z
>> whenChanged: 20150630144502.0Z
>> uSNCreated: 3768
>> uSNChanged: 3768
>> showInAdvancedViewOnly: TRUE
>> name: fichnet
>> objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c
>> objectCategory:
>> CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l
>> yc-guillaume-fichet,DC=ac-grenoble,DC=fr msSFU30MasterServerName:
>> FICHDC msSFU30OrderNumber: 10000
>> msSFU30Domains: fichnet
>> distinguishedName:
>> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste
>> m,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
>>
>> But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values.
>
> No there isn't, Samba doesn't add them, it adds everything else, just
> not those two attributes. You need to add something like this:
>
> msSFU30MaxUidNumber: 10000
> msSFU30MaxGidNumber: 10000
>
> Note, you will need to find the highest uidNumber and gidNumber, add 1
> to it and replace '10000' with these numbers.
>
>>
>> Do you know if this current entry was created by samba or by some
>> Windows administration tools ?
>
> Samba
>
>> Do you know if I need to add a class to add the msSFU30MaxUidNumber
>> and msSFU30MaxGidNumber values ?
>
> No you don't need add any other objectclasses
>
>> (I don't know how to read schema specification directly inside the
>> database)
>>
>> 2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba
>> <samba@xxxxxxxxxxxxxxx>:
>> > Hello,
>> > I understand the OP, I was asking some time ago similar question,
>> > but it was in relation to samba domain member. I couldn't get
>> > backend: ad to work for machine accounts, so i switched to idmap:
>> > rid and it solved everything. I tried manually adding UID and GID
>> > to Domain Computer group and to machine accounts, but it didn't
>> > seem to work properly, so I gave up especially that RID was
>> > perfectly fine.
>>
>> Thanks, but I also use the others rfc2307 attributes. Not only
>> uidNumber and gidNumber. So I need to keep all the rfc2307 values
>> updated and I can't switch to RID. Moreover, the file system is also
>> exported by NFSv4 so I need consistant ID on all the
>> databases/filesystems.
>
> You can add the required attributes with ldapmodify or ldbmodify, as I
> said, I can supply sample scripts to show the basics.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


Thanks !

Your solution worked like a charm ! There is also another benefit, I
have now three distinct ranges for my IDs :

-> 3000000 - 3999999 for the xidNumbers ( when no rfc2307 id )
-> 4000000 - 4999999 for the user rfc2307 uidNumber
-> 5000000 - 5999999 for the group rfc2307 gidNumber

If someone is interested, here a part of the script I have used :

###############################
# get user rfc2307 attributes #
###############################

# get the new uid #
userUid=$(ldbsearch -H $samDatabase -s base -b
CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN
msSFU30MaxUidNumber | grep 'msSFU30MaxUidNumber:')
if [ -z "$userUid" ]; then
   userUid="$baseUid"
else
   userUid=$(echo $userUid | sed 's/^msSFU30MaxUidNumber: \(.*\)/\1/')
fi

# get the gid #
strgid=$(wbinfo --group-info="$pgroupName")
userGid=$(echo $strgid | cut -d ":" -f 3)


# create the user #
samba-tool user create $userName --userou=$userDN --random-password \
--profile-path="\\\\$accountServerDns$winProfilePath\\$pgroupNameR\\$userName" \
--home-directory="\\\\$accountServerDns$winHomePath$winHomeDir\\$pgroupNameR\\$userName"
\
--home-drive="$homeDrive" \
--unix-home="/home$unixHomeDir/$pgroupNameR/$userName" \
--uid-number="$userUid" \
--gid-number="$userGid" \
--login-shell="/bin/bash"

 set passwd #
if [ -z "$userPasswd" ]; then
# --must-change-at-next-login can cause problem with roaming profiles
    samba-tool user setpassword $userName --newpassword=$userName
else
    samba-tool user setpassword $userName --newpassword=$userPasswd
fi
samba-tool user setexpiry --noexpiry $userName


############
# next uid #
############
nextUid=$((userUid+1))

echo "dn: CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN
changetype: modify
replace: msSFU30MaxUidNumber
msSFU30MaxUidNumber: $nextUid" > /tmp/$userName

ldbmodify --url=$samDatabase -b $baseDN /tmp/$userName
rm /tmp/$userName


Thank you very much !

Baptiste.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba