Help with standalone samba SID-uid mapping

Help with standalone samba SID-uid mapping

[Chris Roehrig]

I'm trying to set up samba (standalone) following these instructions:
	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba

but I'm having no luck getting my samba user/groups to appear correctly using the <cygwin unix="601"/> comment field as described in the document.

I'm using samba 4.13.14 on Ubuntu 20.04 with security = user (smbpasswd).   winbindd is not installed and I'm not using any LDAP or AD anywhere.

E.g. here is what is on the server (croehrig:croehrig = 601:601; cristina:cristina = 603:603)
housesrv[3]% ls -l /House/Users
total 17
drwxr-xr-x  9 cristina cristina 22 Jan 12 16:06 cristina
drwxr-xr-x 30 croehrig croehrig 53 Jan 13 09:47 croehrig


Here are the ACLs and SIDs when looking on the windows client:
tyto[5]% icacls \\\\housesrv\\Users\\\*
\\housesrv\Users\cristina S-1-5-21-751087815-2087572193-42305691-1001:(F)
                          S-1-22-2-603:(RX)
                          Everyone:(RX)

\\housesrv\Users\croehrig S-1-5-21-751087815-2087572193-42305691-1000:(F)
                          S-1-22-2-601:(RX)
                          Everyone:(RX)

As you can see, the gid is mapping to the S-1-22-2-<gid> as described in the document above, but
the uid is using a domain-specific SID with different RIDs. 


On the windows client I have the same users and groups set up locally (SAM) with appropriate SID mappings to the same uid/gids (601/603) in the Cygwin /etc/passwd and /etc/group.     This has all been working well to ensure e.g. rsync preserves permissions and ownership between cygwin and Linux.  (The windows groups are called 'grp-croehrig' and 'grp-cristina' since windows users and groups share a namespace, but they are mapped to 'croehrig' and 'cristina' in /etc/group).


Here is how the SMB share looks under Cygwin:
tyto[6]% ls -l //housesrv/Users/
total 0
drwxr-xr-x 1 Unknown+User Unix_Group+603 0 Jan 12 16:06 cristina
drwxr-xr-x 1 Unknown+User Unix_Group+601 0 Jan 13 09:47 croehrig
tyto[7]% ls -ln //housesrv/Users/
total 0
drwxr-xr-x 1 4294967295 4278190683 0 Jan 12 16:06 cristina
drwxr-xr-x 1 4294967295 4278190681 0 Jan 13 09:47 croehrig

I have added the SAM desc/comment field as described in the document above:  i.e.
	net localgroup grp-croehrig /comment:'<cygwin unix="601"/>'
	net user croehrig /comment:'<cygwin unix="601" group="grp-croehrig" />'
and restarted all Cygwin processes, but it doesn't seem to have any effect ('net user croehrig' shows the comment is indeed present).     I guess I don't understand how that comment field works.


Anyone have any advice? 

Thanks,
-- Chris

Re: Help with standalone samba SID-uid mapping

[Corinna Vinschen]

On Jan 13 14:39, Chris Roehrig wrote:
> I'm trying to set up samba (standalone) following these instructions:
> 	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
> 
> but I'm having no luck getting my samba user/groups to appear correctly using the <cygwin unix="601"/> comment field as described in the document.
> 
> I'm using samba 4.13.14 on Ubuntu 20.04 with security = user (smbpasswd).   winbindd is not installed and I'm not using any LDAP or AD anywhere.
> 
> E.g. here is what is on the server (croehrig:croehrig = 601:601; cristina:cristina = 603:603)
> housesrv[3]% ls -l /House/Users
> total 17
> drwxr-xr-x  9 cristina cristina 22 Jan 12 16:06 cristina
> drwxr-xr-x 30 croehrig croehrig 53 Jan 13 09:47 croehrig
> 
> 
> Here are the ACLs and SIDs when looking on the windows client:
> tyto[5]% icacls \\\\housesrv\\Users\\\*
> \\housesrv\Users\cristina S-1-5-21-751087815-2087572193-42305691-1001:(F)
>                           S-1-22-2-603:(RX)
>                           Everyone:(RX)
> 
> \\housesrv\Users\croehrig S-1-5-21-751087815-2087572193-42305691-1000:(F)
>                           S-1-22-2-601:(RX)
>                           Everyone:(RX)
> 
> As you can see, the gid is mapping to the S-1-22-2-<gid> as described
> in the document above, but the uid is using a domain-specific SID with
> different RIDs. 

These look like your standard Windows SIDs, so they are your SIDs for
users cristina and croehrig on Windows.  They should show up as such in
ls -l output, unless the SID is actuall wrong, e. g., they map to your
accounts on another machine or something like that.

> On the windows client I have the same users and groups set up locally
> (SAM) with appropriate SID mappings to the same uid/gids (601/603) in
> the Cygwin /etc/passwd and /etc/group.     This has all been working
> well to ensure e.g. rsync preserves permissions and ownership between
> cygwin and Linux.  (The windows groups are called 'grp-croehrig' and
> 'grp-cristina' since windows users and groups share a namespace, but
> they are mapped to 'croehrig' and 'cristina' in /etc/group).
> 
> 
> Here is how the SMB share looks under Cygwin:
> tyto[6]% ls -l //housesrv/Users/
> total 0
> drwxr-xr-x 1 Unknown+User Unix_Group+603 0 Jan 12 16:06 cristina
> drwxr-xr-x 1 Unknown+User Unix_Group+601 0 Jan 13 09:47 croehrig

Sorry, but I don't quite understand.  If you have matching /etc/passwd
and /etc/group files, and your /etc/nsswitch.conf allows reading the
files, this shouldn't happen.  Are the Windows SIDs correct?  Are they
matching your machine?


Corinna

Re: Help with standalone samba SID-uid mapping

[Chris Roehrig]

On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:

> On Jan 13 14:39, Chris Roehrig wrote:
>> I'm trying to set up samba (standalone) following these instructions:
>> 	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
>> 
>> but I'm having no luck getting my samba user/groups to appear correctly using the <cygwin unix="601"/> comment field as described in the document.
>> 
>> I'm using samba 4.13.14 on Ubuntu 20.04 with security = user (smbpasswd).   winbindd is not installed and I'm not using any LDAP or AD anywhere.
>> 
>> E.g. here is what is on the server (croehrig:croehrig = 601:601; cristina:cristina = 603:603)
>> housesrv[3]% ls -l /House/Users
>> total 17
>> drwxr-xr-x  9 cristina cristina 22 Jan 12 16:06 cristina
>> drwxr-xr-x 30 croehrig croehrig 53 Jan 13 09:47 croehrig
>> 
>> 
>> Here are the ACLs and SIDs when looking on the windows client:
>> tyto[5]% icacls \\\\housesrv\\Users\\\*
>> \\housesrv\Users\cristina S-1-5-21-751087815-2087572193-42305691-1001:(F)
>>                          S-1-22-2-603:(RX)
>>                          Everyone:(RX)
>> 
>> \\housesrv\Users\croehrig S-1-5-21-751087815-2087572193-42305691-1000:(F)
>>                          S-1-22-2-601:(RX)
>>                          Everyone:(RX)
>> 
>> As you can see, the gid is mapping to the S-1-22-2-<gid> as described
>> in the document above, but the uid is using a domain-specific SID with
>> different RIDs. 
> 
> These look like your standard Windows SIDs, so they are your SIDs for
> users cristina and croehrig on Windows.  They should show up as such in
> ls -l output, unless the SID is actuall wrong, e. g., they map to your
> accounts on another machine or something like that.

No those are the SIDs supplied by the Samba server (see below for my local Windows SIDs).   Here they are directly on the Linux machine:
housesrv[11]% smbcacls --numeric //housesrv/Users croehrig
Enter WORKGROUP\croehrig's password: 
REVISION:1
CONTROL:0x9004
OWNER:S-1-5-21-751087815-2087572193-42305691-1000
GROUP:S-1-22-2-601
ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff
ACL:S-1-22-2-601:0/0x0/0x001200a9
ACL:S-1-1-0:0/0x0/0x001200a9

(I think that Samba now uses a more complex IDMAP algorithm than when the Cygwin document above was written and now provides a full domain component to its SIDs.)


I just added those SIDs to  /etc/passwd and /etc/groups (double entries now) and it now works for the user, but (oddly) not the group:

tyto[6]% ls -l //housesrv/Users/				## NB: this is a UNC path to the samba share
total 0
drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina
drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig

NB: I'm only having issues with the files on the samba share.   All my local files work fine and correctly show the user/group.

Here are the SIDs on my local Windows machine (they are different on each of my Windows clients):
tyto[7]% wmic useraccount get name,sid | grep cr
cristina            S-1-5-21-1290748074-662758565-4273641972-1007  
croehrig            S-1-5-21-1290748074-662758565-4273641972-1002 
tyto[8]% wmic group get name,sid | grep cr
grp-cristina                         S-1-5-21-1290748074-662758565-4273641972-1008  
grp-croehrig                         S-1-5-21-1290748074-662758565-4273641972-1006  

tyto[9]% cat /etc/passwd
croehrig:*:601:601:HOUSESRV\croehrig,S-1-5-21-751087815-2087572193-42305691-1000:/home/croehrig:/bin/bash
cristina:*:603:603:HOUSESRV\cristina,S-1-5-21-751087815-2087572193-42305691-1001:/home/cristina:/bin/bash
croehrig:*:601:601:U-TYTO\croehrig,S-1-5-21-1290748074-662758565-4273641972-1002:/home/croehrig:/bin/bash
cristina:*:603:603:U-TYTO\cristina,S-1-5-21-1290748074-662758565-4273641972-1007:/home/cristina:/bin/bash

tyto[10]% cat /etc/group
croehrig:S-1-22-2-601:601:
cristina:S-1-22-2-603:603:
croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601:
cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603:
admin:S-1-5-21-1290748074-662758565-4273641972-1004:80:
chrises:S-1-5-21-1290748074-662758565-4273641972-1003:1001:
house:S-1-5-21-1290748074-662758565-4273641972-1005:1002:
nobody:S-1-5-21-1290748074-662758565-4273641972-513:99:


Any idea why those first two /etc/group entries are not working?    The rest work fine (on local files only of course).
I tried temporarily deleting the 3rd and 4th entries in case there was an issue with double entries but it made no difference (even after restarting all cygwin processes).


> 
>> On the windows client I have the same users and groups set up locally
>> (SAM) with appropriate SID mappings to the same uid/gids (601/603) in
>> the Cygwin /etc/passwd and /etc/group.     This has all been working
>> well to ensure e.g. rsync preserves permissions and ownership between
>> cygwin and Linux.  (The windows groups are called 'grp-croehrig' and
>> 'grp-cristina' since windows users and groups share a namespace, but
>> they are mapped to 'croehrig' and 'cristina' in /etc/group).
>> 
>> 
>> Here is how the SMB share looks under Cygwin:
>> tyto[6]% ls -l //housesrv/Users/
>> total 0
>> drwxr-xr-x 1 Unknown+User Unix_Group+603 0 Jan 12 16:06 cristina
>> drwxr-xr-x 1 Unknown+User Unix_Group+601 0 Jan 13 09:47 croehrig
> 
> Sorry, but I don't quite understand.  If you have matching /etc/passwd
> and /etc/group files, and your /etc/nsswitch.conf allows reading the
> files, this shouldn't happen.  Are the Windows SIDs correct?  Are they
> matching your machine?

> 
> Corinna
> 
> -- 
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: Help with standalone samba SID-uid mapping

[Corinna Vinschen]

On Jan 14 11:57, Chris Roehrig wrote:
> On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:
> > These look like your standard Windows SIDs, so they are your SIDs for
> > users cristina and croehrig on Windows.  They should show up as such in
> > ls -l output, unless the SID is actuall wrong, e. g., they map to your
> > accounts on another machine or something like that.
> 
> No those are the SIDs supplied by the Samba server (see below for my local Windows SIDs).   Here they are directly on the Linux machine:
> housesrv[11]% smbcacls --numeric //housesrv/Users croehrig
> Enter WORKGROUP\croehrig's password: 
> REVISION:1
> CONTROL:0x9004
> OWNER:S-1-5-21-751087815-2087572193-42305691-1000
> GROUP:S-1-22-2-601
> ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff
> ACL:S-1-22-2-601:0/0x0/0x001200a9
> ACL:S-1-1-0:0/0x0/0x001200a9
> 
> (I think that Samba now uses a more complex IDMAP algorithm than when
> the Cygwin document above was written and now provides a full domain
> component to its SIDs.)

That may be so, but in my installation, Samba reports the Unix User ID
as owner, i. e.

  $ icacls \\\\server\\corinna\\foo
  \\server\corinna\foo S-1-22-1-500:(R,W,D,WDAC,WO)
                       S-1-22-2-11125:(R)
                       Everyone:(R)

and that's with Samba 4.15.3.  I'm doing the mapping via the AD
uidNumber and gidNumber fields.  I'm using this setup for so long that I
don't remember if I ever saw a "normal", Windows-like SID for the user
returned by Samba.  I never ran winbindd, up until Samba 4.15.3, which
was the first one forcing me to do so when using AD support.

> I just added those SIDs to  /etc/passwd and /etc/groups (double
> entries now) and it now works for the user, but (oddly) not the group:
> 
> tyto[6]% ls -l //housesrv/Users/				## NB: this is a UNC path to the samba share
> total 0
> drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina
> drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig
> [...]
> tyto[10]% cat /etc/group
> croehrig:S-1-22-2-601:601:
> cristina:S-1-22-2-603:603:
> croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601:
> cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603:

Hmm, that's weird.  I just tried this myself.  First I created a stock
/etc/group file with all local and AD accounts.  Next I changed
/etc/nsswitch.conf:

  - group: db
  + group: files

Exit/restart Cygwin. `ls -l' now prints

  -rw-r--r-- 1 corinna Unknown+Group 13342 Jan 17 10:46 //calimero/corinna/foo

Now I add this line to /etc/group:

  mygroup:S-1-22-2-11125:11125:

Exit/restart Cygwin.  Now `ls -l' prints

  -rw-r--r-- 1 corinna mygroup 13342 Jan 17 10:46 //calimero/corinna/foo

So it works, apparently.  Did you set `group: db' in /etc/nsswitch.conf,
by any chance?


Corinna

Re: Help with standalone samba SID-uid mapping

[Chris Roehrig]

On Mon Jan 17 2022, at 4:04 AM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:

> On Jan 14 11:57, Chris Roehrig wrote:
>> On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:
>>> These look like your standard Windows SIDs, so they are your SIDs for
>>> users cristina and croehrig on Windows.  They should show up as such in
>>> ls -l output, unless the SID is actuall wrong, e. g., they map to your
>>> accounts on another machine or something like that.
>> 
>> No those are the SIDs supplied by the Samba server (see below for my local Windows SIDs).   Here they are directly on the Linux machine:
>> housesrv[11]% smbcacls --numeric //housesrv/Users croehrig
>> Enter WORKGROUP\croehrig's password: 
>> REVISION:1
>> CONTROL:0x9004
>> OWNER:S-1-5-21-751087815-2087572193-42305691-1000
>> GROUP:S-1-22-2-601
>> ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff
>> ACL:S-1-22-2-601:0/0x0/0x001200a9
>> ACL:S-1-1-0:0/0x0/0x001200a9
>> 
>> (I think that Samba now uses a more complex IDMAP algorithm than when
>> the Cygwin document above was written and now provides a full domain
>> component to its SIDs.)
> 
> That may be so, but in my installation, Samba reports the Unix User ID
> as owner, i. e.
> 
>  $ icacls \\\\server\\corinna\\foo
>  \\server\corinna\foo S-1-22-1-500:(R,W,D,WDAC,WO)
>                       S-1-22-2-11125:(R)
>                       Everyone:(R)
> 
> and that's with Samba 4.15.3.  I'm doing the mapping via the AD
> uidNumber and gidNumber fields.  I'm using this setup for so long that I
> don't remember if I ever saw a "normal", Windows-like SID for the user
> returned by Samba.  I never ran winbindd, up until Samba 4.15.3, which
> was the first one forcing me to do so when using AD support.

I'm no Samba expert, but maybe your /var/lib/samba/private/secrets.tdb file predates that IDMAP change...?
What does 'net getdomainsid' say on your samba host?
housesrv[2]% sudo net getdomainsid
SID for local machine HOUSESRV is: S-1-5-21-751087815-2087572193-42305691
SID for domain WORKGROUP is: S-1-5-21-..........


> 
>> I just added those SIDs to  /etc/passwd and /etc/groups (double
>> entries now) and it now works for the user, but (oddly) not the group:
>> 
>> tyto[6]% ls -l //housesrv/Users/				## NB: this is a UNC path to the samba share
>> total 0
>> drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina
>> drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig
>> [...]
>> tyto[10]% cat /etc/group
>> croehrig:S-1-22-2-601:601:
>> cristina:S-1-22-2-603:603:
>> croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601:
>> cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603:
> 
> Hmm, that's weird.  I just tried this myself.  First I created a stock
> /etc/group file with all local and AD accounts.  Next I changed
> /etc/nsswitch.conf:
> 
>  - group: db
>  + group: files
> 
> Exit/restart Cygwin. `ls -l' now prints
> 
>  -rw-r--r-- 1 corinna Unknown+Group 13342 Jan 17 10:46 //calimero/corinna/foo
> 
> Now I add this line to /etc/group:
> 
>  mygroup:S-1-22-2-11125:11125:
> 
> Exit/restart Cygwin.  Now `ls -l' prints
> 
>  -rw-r--r-- 1 corinna mygroup 13342 Jan 17 10:46 //calimero/corinna/foo
> 
> So it works, apparently.  Did you set `group: db' in /etc/nsswitch.conf,
> by any chance?

That did the trick.   My nsswitch.conf was the default (no lines; only comments), but everything works great now once I change it to
group: files
Seems odd that changing it back to 'group: files db' causes the groups to revert to the Unix_Group+601 form (as if the files weren't resolving it satisfactorily).

Thanks for your help looking into this!

[Update:   cygsshd service no longer permits logins (closes connection immediately) when using 'group: files' (but it does work when running as /var/sbin/sshd -Dd).    I'll have to get syslog-ng set up to try do debug this further...]



> 
> 
> Corinna
> 
> -- 
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple