Linux - Samba ID mapping notes

• AD: Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It provides the following:

• Centralized Management: Manages users, computers, and other resources.
• Authentication and Authorization: Ensures secure access to network resources.
• Group Policy: Implements policies across multiple devices.
• Organizational Structure: Organizes resources into domains, trees, and forests for efficient administration.

• SID (Windows): In Windows operating systems and AD, SID (Security Identifier) is a unique, immutable identifier assigned to each user, group, and computer account. SIDs are used to manage access to resources and enforce security policies. They are unique within a domain and follow a specific structure, including a revision level, an identifier authority value, and a variable number of sub-authority values. SIDs are used internally by the operating system to track user and group permissions, ensuring that security settings remain consistent even if account names are changed.

• RID: In Windows operating systems and AD, a RID (Relative Identifier) is a part of the Security Identifier (SID) that uniquely identifies an account or group within a domain. The RID is the final portion of a SID and is used in conjunction with the domain SID to uniquely identify each account within the domain. For example, in the SID S-1-5-21-3623811015-3361044348-30300820-1013, the RID is 1013. Each domain controller generates RIDs from a pool assigned by the domain's RID Master to ensure uniqueness within the domain.

• UID: In Unix and Unix-like operating systems, a UID (User Identifier) is a unique number assigned to each user in a system, where 0 is reserved for root (superuser), so we can distinguishes each user on the system, controls access to files, processes, and other system resources, and it indicates which user owns a file or process.

• GID: In Unix and Unix-like operating systems, a GID (Group Identifier) is a unique number assigned to each group, distinguishes each group on the system, controls group access to files, directories, and other system resources, and indicates which group owns a file or directory, influencing group permissions.

• IDmap : Windows - Unix ID Mapping refers to the process of mapping Windows security identifiers (SIDs) to Unix user identifiers (UIDs) and group identifiers (GIDs), and vice versa. This mapping is essential for interoperability in mixed Windows and Unix/Linux environments, ensuring that permissions and ownership are correctly interpreted across systems. It allows users and groups to access resources seamlessly across different operating systems while maintaining consistent security and access controls.

• RID id-mapping: A type of ID mapping in which UIDs and GIDs are derived from the SIDs and the smb.conf idmap domain range declaration.

• AD id-mapping: A type of ID mapping in with you use RFC 2307 Unix attributes’ uidNumber and gidNumber to store UIDs and GIDs respectively. Not to be confused with the acronym 'AD', Active Directory.

• RFC 2307 is a specification that defines how to store and retrieve Unix system account information using the Lightweight Directory Access Protocol (LDAP). It outlines the schema for representing Unix user and group data within an LDAP directory, allowing for centralized management of Unix accounts. This standard supports storing details like user IDs (UIDs), group IDs (GIDs), home directories, and login shells, facilitating integration between Unix/Linux systems and directory services like Active Directory.

• RFC2307 Schema: The RFC2307 schema is a set of LDAP attributes and object classes that define UNIX-specific attributes. Key attributes include:

1. uidNumber: The uidNumber attribute is used to store the User ID (UID) of a Unix user. When Samba integrates with Active Directory using RFC 2307, it leverages the uidNumber attribute to map Unix user accounts to Active Directory users.
2. gidNumber: The gidNumber attribute is defined to store the Group ID (GID) of a Unix group. When Samba integrates with Active Directory using RFC 2307, it leverages the gidNumber attribute to map Unix groups to Active Directory groups.
3. unixHomeDirectory: The user’s home directory.
4. loginShell: The user’s shell.

What is ID mapping and why it is needed in Linux?

ID mapping backends are essential for Samba servers (both Domain Controllers and Member servers), enabling the translation of Windows Security Identifiers (SIDs) and Relative Identifiers (RIDs) into UNIX user IDs (UIDs) and group IDs (GIDs). This ensures proper management and ownership of resources in a mixed Windows and UNIX environment.

Without ID mapping, Windows users and groups would be unknown to Linux, and for his reason, unable to access resources on a Linux server.

ID-mapping in a Samba Domain Controller (DC) is managed using a dedicated backend. The Samba DC uses an internal database, idmap.ldb, to manage these mappings. The UIDs and GIDs used in this id-map are in the 3000000+ range. This mapping is done internally by Samba in the DC, and it's transparent to you.

In this internal database there are a couple of objects that deserve special attention:

• 'Administrator' AD user is mapped to uid 0, i.e., root.

root@dc1:~# wbinfo --uid-info 0
MAD\administrator:*:0:10000::/home/MAD/administrator:/bin/false 

• 'Domain Admins' AD group is mapped as a group to Unix gid 300005, and as a user to Unix with uid 300005. It's a group and a user. This is a particular object (and other AD groups too) that has 'ID_TYPE_BOTH' - it can act as a user and as a group, this means it can own files in Linux. This unique characteristic is critical for the SysVol folder, as GPOs must be owned by “Domain Admins” user. (Remember, it's a group and a user)

root@dc1:~# wbinfo --uid-info 3000005
MAD\domain admins:*:3000005:3000005::/home/MAD/domain admins:/bin/false

root@dc1:~# wbinfo --gid-info 3000005
MAD\domain admins:x:3000005:

In the member servers of an Active Directory, typically either 'RID' or 'AD' id-mappings are used. More on this later. If AD id-mapping is used in your member servers, RFC 2307 attributes (also called Unix Attributes) need to be populated for every user and group you create in the AD. More on this later. Two of these attributes are uidNumber and gidNumber, and when the mapping is done, they will directly translate to UIDs and GIDs in Linux machines.

If RFC 2307 attributes are used because you use AD id-mapping, there is an option to use this mapping for the DCs instead of the internal idmap.ldb. In this case, you should include this in in smb.conf file.:

idmap_ldb:use rfc2307  = yes

If you are adding rfc2307 attributes to the AD, AND ( you are using the DC as a fileserver, which is not recommended, needing to sync files with other ad-idmapped member server OR needing users to login into the DC with different home folders or shells ), there really is no need for this setting.

Learn why this is hard to recommend except in these very exceptional circumstances as described before, so please make sure you don’t have it in your smb.conf unless you have a very clear idea of what this means.

Using this configuration option in a DC will mean that, in order not to break the ‘ID_TYPE_BOTH’ feature of the “special” objects like 'Domain Admins', neither 'Administrator' nor 'Domain Admins' should have a uidNumber and gidNumber respectively.

Subsequently, as no gidNumber has been assigned to ‘Domain Admins’ it means nothing to a member server with AD idmapping. This adds the complexity of having to create an extra group, for example ‘Unix Admins’, assign it a gidNumber, make it a member of ‘Domain Admins’ and use this new group where you would use ‘Domain Admins’ in the member server.

Caponato's Samba notebook. Start here or else Main menu