UID and GID questions and what if we manipulate them via 'ldapmodify' command


#1

Dear all, we like to import our users with given UID (uidNumber) and GID (gidNumber). During several chats in this forum it turned out that UCS does not allow UID and GID’s is equal.

We would like to know

  1. why must UCS force UID and GID to be different? Are there technical restrictions?
  2. based on the Doppelt vergebene UIDs entry we created a script which sets UID=GID.
    What implications or issues we shall expect if we manipulate UID/GID via ‘ldapmodify’

Thanks for you reply and help

Regards
Daniel


#2

Hey,

I haven’t been able to find a definitive answer either. The closest to an answer I got was this bug which vaguely states that there are “problems with idmap”. The ID mapping database is used by Samba to map Windows SIDs to Unix user & group IDs. For example, in order to determine the Windows SID for the Linux user mbunkus, I might do this:

[0 root@master ~] id mbunkus
uid=2013(mbunkus) gid=5001(Domain Users) groups=5001(Domain Users),5052(Users),5078(testme)
[0 root@master ~] ldbsearch -H /var/lib/samba/private/idmap.ldb '(&(xidNumber=2013)(type=ID_TYPE_UID))'
# record 1
dn: CN=S-1-5-21-3660329584-147669591-2845762440-1113
objectClass: sidMap
type: ID_TYPE_UID
xidNumber: 2013
cn: S-1-5-21-3660329584-147669591-2845762440-1113
objectSid: S-1-5-21-3660329584-147669591-2845762440-1113
distinguishedName: CN=S-1-5-21-3660329584-147669591-2845762440-1113

# returned 1 records
# 1 entries
# 0 referrals

I don’t know if those “problems with idmap” are still relevant today. Looking at the schema used by idmap.ldb, it’s clear that entries can differentiate between user and group IDs via the type attribute. Therefore multiple entries with the same xidNumber but different type attributes shouldn’t pose a problem in theory. In fact, I experimented a bit and used ldbedit to change one xidNumber for a user-type to be the same as another entry’s xidNumber for a group-type — and the server worked fine with that. Take it with a grain of salt, of course.

Maybe those problems still stem from the days of Samba 3 and NT-style Windwos domains?

If you encounter problems with having both IDs the same, they’ll likely manifest in file/directory access problems or Windows SIDs not being resolved to user names properly.

Due to all the uncertainty around this I advice against going down that road.

I’d really like some background info on this from one of the Univention people — could @requate shed some light on it?

Kind regards
mosu


#3

Yes, Bug #28999 describes the issue (in german), it’s a potential Windows/Samba vs Linux interop issue. In Windows/AD ACLs groups can be the owner of a resource, e.g. of a file. Users and Groups are identified with SIDs from the same SID pool. In Linux on the other hand, as you correctly report, the Posix IDs of users and groups are from separate “namespaces” and you are allowed to use one number as uid and gid at the same time. If you do that, then the Identity-Mapping between Windows-SIDs and Posix-IDs is not bijective any longer, as two different Windows-SIDs would then be mapped to the same Posix-ID. Ubuntu offers an implicit solution as they always create a group of the same name for a user :slight_smile: , but it’s not enforced that they both have the same PosixID and also they don’t do it the other way (create a user for each new group).

Anyway, as @Moritz_Bunkus pointed out, Samba allows to store the type of a Posix-ID in the idmap.ldb. They have ID_TYPE_UID (telling winbind to only use this mapping for users and ignore it for groups) and ID_TYPE_GID. And as a third case they have ID_TYPE_BOTH. They introduced this third type to allow groups (such as “Domain Users”) to appear in the owner field of NTACLs, and we make use of this ID_TYPE_BOTH. If you look into idmap.ldb you will see that all groups have this type.

Now what happens, in case a Windows user or process wants to write a file with NTACLs specifying that groupX is the owner? In this case Samba has to quickly look up the Posix-ID from idmap. And writes that into the uid field of the fACLs (and unix file owner). When a user would have the same Posix-ID, the file would appear to belong to that user instead of the group and the user would actually be the owner. That’s why we make a best efford approach to avoid this.


#4

Thank you very much for the detailed explanation.


#5

Thank you very much for this reply. also to “Univention Staff”.
If I consider your reply now correct its ok if we have the same UID and GID as long these are not used as a share access group. i.e user ‘mike’ with uid=1200, ‘mike_g’ with gid=1200 and he is member of share access group share_test with gid=5000.
If we have keep an eye we never have user gid in a range of the share group gid we should be fine to have uid=gid (with regards only to users)

Right ?

Thanks again for you feedback.

Best Regards
Daniel