Samba/AD SMB ranges squashing idmap autorid ranges?

[styne666]

Trying to configure idmap_autorid in Directory Services -> Active Directory -> Edit IDMAP. Cleared out dbs in /var/db/system/samba4. Set it to use 10m-20m with 100k ranges then joined successfully but `getent passwd` is showing UIDs in 90m+ range.

Being very confused I poked about, and find that in the SMB service web interface, there are "Range Low" and "Range High" settings there which seem to be resulting in the following in `/etc/local/smb4.conf`:

Code:

    idmap config * : backend = autorid
    idmap config * : range = 10000000-19999999
    idmap config * : rangesize = 100000
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000

The web interface won't let me remove Range Low/High, so how can I prevent that tdb configuration from squashing the autorid config? This feels like a bug to me.

Edit: I should add, it won't let me set them to the same range either. Says they conflict.

Code:

    # uname -a
    FreeBSD nas 11.3-RELEASE-p5 FreeBSD 11.3-RELEASE-p5 #0 r325575+8ed1cd24b60(HEAD): Mon Jan 27 18:07:23 UTC 2020     root@tnbuild02.tn.ixsystems.com:/freenas-releng/freenas/_BE/objs/freenas-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

 

[anodos]

Trying to configure idmap_autorid in Directory Services -> Active Directory -> Edit IDMAP. Cleared out dbs in /var/db/system/samba4. Set it to use 10m-20m with 100k ranges then joined successfully but `getent passwd` is showing UIDs in 90m+ range.

Being very confused I poked about, and find that in the SMB service web interface, there are "Range Low" and "Range High" settings there which seem to be resulting in the following in `/etc/local/smb4.conf`:

Code:

    idmap config * : backend = autorid
    idmap config * : range = 10000000-19999999
    idmap config * : rangesize = 100000
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000

The web interface won't let me remove Range Low/High, so how can I prevent that tdb configuration from squashing the autorid config? This feels like a bug to me.

Edit: I should add, it won't let me set them to the same range either. Says they conflict.

Code:

    # uname -a
    FreeBSD nas 11.3-RELEASE-p5 FreeBSD 11.3-RELEASE-p5 #0 r325575+8ed1cd24b60(HEAD): Mon Jan 27 18:07:23 UTC 2020     root@tnbuild02.tn.ixsystems.com:/freenas-releng/freenas/_BE/objs/freenas-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

Ouch. Can you PM me a debug?

 

[styne666]

So is FreeNAS 'sorting' the idmap statements on their ranges?

I've done a clean 'unjoin', followed by purging the Samba tdbs, fiddling with the ranges (I changed autorid to 100m-200m) and rejoining. The order has swapped in smb4.conf.

Code:

idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
idmap config * : backend = autorid
idmap config * : range = 100000001-200000000
idmap config * : rangesize = 100000

And `testparm` shows the autorid squashing the tdb. However...

Code:

# getent passwd | grep guest
DOMAIN\guest:*:90000004:90000014::/mnt/pool/homes/DOMAIN/guest:/bin/sh

Which is clearly in the tdb range.

Can you PM me a debug?

/var/log/middlewared.log?

It definitely strikes me as odd that an entry for tdb appears at all when autorid is selected because autorid is an allocating backend. So where you might have idmap * -> tdb plus idmap DOMAIN -> rid; autorid replaces both of those in one idmap -> autorid.

 

[anodos]

So is FreeNAS 'sorting' the idmap statements on their ranges?

I've done a clean 'unjoin', followed by purging the Samba tdbs, fiddling with the ranges (I changed autorid to 100m-200m) and rejoining. The order has swapped in smb4.conf.

Code:

idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
idmap config * : backend = autorid
idmap config * : range = 100000001-200000000
idmap config * : rangesize = 100000

And `testparm` shows the autorid squashing the tdb. However...

Code:

# getent passwd | grep guest
DOMAIN\guest:*:90000004:90000014::/mnt/pool/homes/DOMAIN/guest:/bin/sh

Which is clearly in the tdb range.



/var/log/middlewared.log?

It definitely strikes me as odd that an entry for tdb appears at all when autorid is selected because autorid is an allocating backend. So where you might have idmap * -> tdb plus idmap DOMAIN -> rid; autorid replaces both of those in one idmap -> autorid.

I'm aware of design of idmap_autorid. This was a regression caused by some changes in the idmap plugin. I will PM you a patched file.

 

[anodos]

Once the file is uploaded, you may need to run midclt call idmap.clear_idmap_cache.

 

[styne666]

Thanks Anodos!

Code:

--- smb4.conf.orig      2020-02-22 10:41:59.824605000 +0000
+++ smb4.conf   2020-02-24 20:44:58.945573825 +0000
@@ -341,7 +341,7 @@
             idmap_domains = middleware.call_sync('idmap.get_configured_idmap_domains')
             autorid_enabled = False
             if db['role'] == "ad_member":
-                autorid_enabled = any(filter(lambda x: x['idmap_backend'] == 'autorid', idmap_domains))
+                autorid_enabled = any(filter(lambda x: x['idmap_backend'] == 'AUTORID', idmap_domains))

             for domain in idmap_domains:
                 add_idmap_domain(pc, db, domain, autorid_enabled)

• apply patch
• $ service middlewared onerestart
• unjoin
• disable SMB Service
• $ find /var/db/system/samba4 -type f -or -type s -delete
• join
• $ midclt call idmap.clear_idmap_cache
• $ grep idmap /usr/local/etc/smb4.conf
  
  Code:

  idmap config * : backend = autorid
  idmap config * : range = 100000001-200000000
  idmap config * : rangesize = 100000
  

• $ getent passwd | grep guest
  
  Code:

  DOMAIN\guest:*:100100502:100100514::/mnt/big/homes/DOMAIN/guest:/bin/sh
  

Perfect! Thanks. :D I'm sure some of my steps there are unnecessary too.

Are there any GUI changes planned related to idmaps? It can be difficult to work out what effect some of the GUI settings have on the smb4.conf.

 

[anodos]

Are there any GUI changes planned related to idmaps? It can be difficult to work out what effect some of the GUI settings have on the smb4.conf.

FreeNAS 12 (master) already has a GUI idmap editor, which allows manually configuring idmap backends for trusted domains (and the default domain) in a single screen.

For 11.3, in setups without trusted domains, the idmap backend for the domain that you're joined to can be edited by adjusting the dropdown for the backend and editing the range through the advanced option for it. In the case of 'autorid' the configured idmap range will become the default one (*), but in the other cases it will adjust the idmap details for the DOMAIN you're joined to (the default domain in this case is controlled by the idmap settings under Services->SMB).