Trusts and authentication

[chucktryon]

We have a windows server 2003 that trusts a samba domain. The freenas is joined to the 2003 server.

The freenas does not let us reference any of the users on the trusted samba system from any of the command-line tools, setfacl, chown, etc, giving us an error: malformed acl, unknown user or group.

We can map a drive to the freenas using our samba credentials. After that moment, the freenas recognizes that particular user from the samba domain and we can use setfacl, chown, etc with that user.

We are planning on migrating lots of files over and would like to have the freenas go ahead and grab all the current samba users so we can get the permissions correct on our file repository.

So far as I can tell, what is happening is that, when we first log into the freenas, samba sets up the local information with the id-map. After that time, the system can find the user in the idmap system. But we do not want to have to log into each individual's account, one at a time.

Is there any way to snarf down all the users in a domain and generate ids for them?

 

[chucktryon]

We have made some progress.
I am not sure yet if the ID issue is because samba3 does not process IDs the same way Windows does, or if it is a general issue with trusts.

The Windows domain we are joined to does a great job sending user information to the freenas server; after every freenas reboot the Windows users show up with the same ID that they had before the reboot. The Windows domain is working fine.

The Samba domain, however, does have some issues. Every time we reboot the server, all the samba users that are trusted by the windows domain are dropped. When they connect the next time, they are added with UIDs that start at 10000 and increase every time that a new user connects. So, if Fred, Mary, and Sam connect up in that order, then Fred is 10001, Mary is 10002 and Sam is 10003. They generate files and they are saved with those ID numbers as owner. But when we reboot, if they connect in a different order, say Sam, Fred, and then Mary; then Sam is 10001, Fred is 10002, and Mary is 10003. Suddenly, all Fred's files are owned by Sam, Mary's files are owned by Fred, and Sam's files are owned by Mary. Not good for morale.

So far, a "solution" seems to be that we can have a script that maps a username to a given UID at boot. If we run a script before anyone connects, we can get the system to map the IDs in the order that we provide them.

This is our test script for now. It is run with something like: mapuser.sh domain\\sam domain\\mary domain\\fred

Code:

#!/bin/bash    
user=$1
while shift; do
	sid=`wbinfo --name-to-sid $user 2>/dev/null |sed 's/ .*//' 2>/dev/null`
	if [ -n "$sid" ]; then
		uid=`wbinfo --sids-to-unix-ids=$sid | sed 's/.*uid//'`
		echo $user $uid $sid
	else
		echo "Invalid user: $user skipping a number"
		wbinfo --allocate-uid
	fi
	user=$1
done

 

[chucktryon]

Our "final solution"

Well, here is our current "final" solution (final until a better idea comes along)

We made an rc.local command that really lives in /conf/base/etc/rc.local (to make that file, we need to do a "mount -uw" to make the partition writable, and "mount -ur" when we have finished making the file:

/conf/base/etc/rc.local

Code:

#!/bin/bash
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:$PATH
export PATH

echo -n "Registering Domain Users  "
cat /mnt/Vol1/domain_userlist | /mnt/Vol1/register-idmap.sh >/dev/null
echo "  DONE"

And we have modified our script so that it now accepts domain\user information from the commandline or from a pipe.
./register-idmap.sh domain\\fred domain\\sally
or
cat ./domain_user_list | ./register-idmap.sh

We stored our script on a mounted drive so we do not need to deal with the write permisions of the mount.

/mnt/Vol1/register-idmap.sh

Code:

#!/bin/bash    
PATH=/usr/local/bin:/bin:/sbin:/usr/sbin:/usr/bin:$PATH

process_user()
{
        sid=`wbinfo --name-to-sid "$user" 2>/dev/null |sed 's/ .*//' 2>/dev/null`
        if [ -n "$sid" ]; then
                uid=`wbinfo --sids-to-unix-ids=$sid | sed 's/.*[ug]id//'`
                echo $user $uid $sid
        else
                echo "Invalid user: $user skipping a number"
                wbinfo --allocate-uid
        fi
}

ttyvar=`tty 2>/dev/null`
if [ "$ttyvar" == "not a tty" ]; then
        echo "reading in from stdin"
        while read user; do
                process_user $user
        done
else
        user=$1
        while shift; do
                process_user $user
                user=$1
        done
fi

Now when our freenas boots up, it loads the extra users in the order specified in our userlist. So long as we never reorder that list, and only add users to the END of our list, we should be fine.