Web lists-archives.com

Re: [Samba] idmap backend ad well-known-sids 512 & 513

On Wed, 13 Feb 2019 16:23:10 +0100
Kai Noetzel via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> we are in the process of testing a migration from our NT Classic
> Domain with OpenLdap to Samba AD.
> In our test setup migration of all accounts, groups and computer 
> accounts went well using the classicupgrade path.
> Next step now is testing how to add a member server for file server 
> services.
> We were able to get the server to join the domain and also idmapping 
> works mostly as expected.
> If we use getent group everything works as expected and we get the 
> correct group with the correct GID:
> root@fileserv2:~# getent group SOMEDOM\\stas
> SOMEDOM\stas:x:10165:
> We can use getent passwd and wbinfo -i fine for all our ldap created 
> users and get the correct UID/GID if we are using the config:
> idmap config SOMEDOM:unix_primary_group = yes

Have you got any Windows machines ?
I ask this because using 'idmap config SOMEDOM:unix_primary_group =
yes' only works locally on the Unix computers, if you connect via
Samba, 'Domain Users' WILL be used.

> root@fileserv2:~# getent passwd SOMEDOM\\test.zweimal
> SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false
> root@fileserv2:~# wbinfo -i SOMEDOM\\test.zweimal
> SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false
> 10000 is the default GID we were using in ldap for all of our users.

Funny so is mine, but my group is Domain Users.

> If we remove this line we won't get any output as the primary group
> then will be 513 which is the default windows sid for "Domain Users"
> and as the mapping only starts at 10000 there is no mapping to find
> for winbind.

Ah, this was one of those ideas that was thought to be a good idea
once, 'Lets use the RID for the gidNumber', time has shown this was a
bad idea ;-)

> So far so good and we can live perfectly having the line above in our 
> config to make this work. But we still cannot get the info for
> "Domain Users" & "Domain Admins" as they still have the SID 513 & 512.
> If we change the groups GID in AD using the ADUC tool to 10513 &
> 10512 we are able to get the info out of wbinfo & getent passwd but I
> guess this is not the way to do it properly?

It is actually, either that or set the lower DOMAIN range to '500', the
problem with that, you cannot have ANY local Unix users & groups.

> root@fileserv2:~# getent group "SOMEDOM\\Domain Users"
> SOMEDOM\domain users:x:10513:
> root@fileserv2:~# getent group SOMEDOM\\Domain Admins"
> SOMEDOM\domain admins:x:10512:
> Can someone shed some light on this or maybe I just have some kind of 
> misunderstanding of the concept. The RID backend will not be an
> option for us as we will have multiple domains we need to trust and
> as far as i understood this is not possible with RID.

It is actually, you set the different domains to have different ranges.

> The following smb.conf is used on the member server:
> [global]
>    netbios name = FILESERV2
>    workgroup = SOMEDOM
>    security = ADS
>    realm = AD.SOMEDOM.COM
>    idmap config *:backend = tdb
>    idmap config *:range = 3000-7999
>    idmap config SOMEDOM:backend = ad
>    idmap config SOMEDOM:schema_mode = rfc2307
>    idmap config SOMEDOM:range = 10000-999999
>    idmap config SOMEDOM:unix_nss_info = yes
>    idmap config SOMEDOM:unix_primary_group = yes

I see you read the wiki ;-)
>    winbind enum users = yes
>    winbind enum groups = yes

Once you are sure everything is running OK, remove the two lines above.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba