Re: Help with standalone samba SID-uid mapping

[Chris Roehrig <croehrig@house.org>]

On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:

> On Jan 13 14:39, Chris Roehrig wrote:
>> I'm trying to set up samba (standalone) following these instructions:
>> 	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
>> 
>> but I'm having no luck getting my samba user/groups to appear correctly using the <cygwin unix="601"/> comment field as described in the document.
>> 
>> I'm using samba 4.13.14 on Ubuntu 20.04 with security = user (smbpasswd).   winbindd is not installed and I'm not using any LDAP or AD anywhere.
>> 
>> E.g. here is what is on the server (croehrig:croehrig = 601:601; cristina:cristina = 603:603)
>> housesrv[3]% ls -l /House/Users
>> total 17
>> drwxr-xr-x  9 cristina cristina 22 Jan 12 16:06 cristina
>> drwxr-xr-x 30 croehrig croehrig 53 Jan 13 09:47 croehrig
>> 
>> 
>> Here are the ACLs and SIDs when looking on the windows client:
>> tyto[5]% icacls \\\\housesrv\\Users\\\*
>> \\housesrv\Users\cristina S-1-5-21-751087815-2087572193-42305691-1001:(F)
>>                          S-1-22-2-603:(RX)
>>                          Everyone:(RX)
>> 
>> \\housesrv\Users\croehrig S-1-5-21-751087815-2087572193-42305691-1000:(F)
>>                          S-1-22-2-601:(RX)
>>                          Everyone:(RX)
>> 
>> As you can see, the gid is mapping to the S-1-22-2-<gid> as described
>> in the document above, but the uid is using a domain-specific SID with
>> different RIDs. 
> 
> These look like your standard Windows SIDs, so they are your SIDs for
> users cristina and croehrig on Windows.  They should show up as such in
> ls -l output, unless the SID is actuall wrong, e. g., they map to your
> accounts on another machine or something like that.

No those are the SIDs supplied by the Samba server (see below for my local Windows SIDs).   Here they are directly on the Linux machine:
housesrv[11]% smbcacls --numeric //housesrv/Users croehrig
Enter WORKGROUP\croehrig's password: 
REVISION:1
CONTROL:0x9004
OWNER:S-1-5-21-751087815-2087572193-42305691-1000
GROUP:S-1-22-2-601
ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff
ACL:S-1-22-2-601:0/0x0/0x001200a9
ACL:S-1-1-0:0/0x0/0x001200a9

(I think that Samba now uses a more complex IDMAP algorithm than when the Cygwin document above was written and now provides a full domain component to its SIDs.)


I just added those SIDs to  /etc/passwd and /etc/groups (double entries now) and it now works for the user, but (oddly) not the group:

tyto[6]% ls -l //housesrv/Users/				## NB: this is a UNC path to the samba share
total 0
drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina
drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig

NB: I'm only having issues with the files on the samba share.   All my local files work fine and correctly show the user/group.

Here are the SIDs on my local Windows machine (they are different on each of my Windows clients):
tyto[7]% wmic useraccount get name,sid | grep cr
cristina            S-1-5-21-1290748074-662758565-4273641972-1007  
croehrig            S-1-5-21-1290748074-662758565-4273641972-1002 
tyto[8]% wmic group get name,sid | grep cr
grp-cristina                         S-1-5-21-1290748074-662758565-4273641972-1008  
grp-croehrig                         S-1-5-21-1290748074-662758565-4273641972-1006  

tyto[9]% cat /etc/passwd
croehrig:*:601:601:HOUSESRV\croehrig,S-1-5-21-751087815-2087572193-42305691-1000:/home/croehrig:/bin/bash
cristina:*:603:603:HOUSESRV\cristina,S-1-5-21-751087815-2087572193-42305691-1001:/home/cristina:/bin/bash
croehrig:*:601:601:U-TYTO\croehrig,S-1-5-21-1290748074-662758565-4273641972-1002:/home/croehrig:/bin/bash
cristina:*:603:603:U-TYTO\cristina,S-1-5-21-1290748074-662758565-4273641972-1007:/home/cristina:/bin/bash

tyto[10]% cat /etc/group
croehrig:S-1-22-2-601:601:
cristina:S-1-22-2-603:603:
croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601:
cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603:
admin:S-1-5-21-1290748074-662758565-4273641972-1004:80:
chrises:S-1-5-21-1290748074-662758565-4273641972-1003:1001:
house:S-1-5-21-1290748074-662758565-4273641972-1005:1002:
nobody:S-1-5-21-1290748074-662758565-4273641972-513:99:


Any idea why those first two /etc/group entries are not working?    The rest work fine (on local files only of course).
I tried temporarily deleting the 3rd and 4th entries in case there was an issue with double entries but it made no difference (even after restarting all cygwin processes).


> 
>> On the windows client I have the same users and groups set up locally
>> (SAM) with appropriate SID mappings to the same uid/gids (601/603) in
>> the Cygwin /etc/passwd and /etc/group.     This has all been working
>> well to ensure e.g. rsync preserves permissions and ownership between
>> cygwin and Linux.  (The windows groups are called 'grp-croehrig' and
>> 'grp-cristina' since windows users and groups share a namespace, but
>> they are mapped to 'croehrig' and 'cristina' in /etc/group).
>> 
>> 
>> Here is how the SMB share looks under Cygwin:
>> tyto[6]% ls -l //housesrv/Users/
>> total 0
>> drwxr-xr-x 1 Unknown+User Unix_Group+603 0 Jan 12 16:06 cristina
>> drwxr-xr-x 1 Unknown+User Unix_Group+601 0 Jan 13 09:47 croehrig
> 
> Sorry, but I don't quite understand.  If you have matching /etc/passwd
> and /etc/group files, and your /etc/nsswitch.conf allows reading the
> files, this shouldn't happen.  Are the Windows SIDs correct?  Are they
> matching your machine?

> 
> Corinna
> 
> -- 
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple