New Unix user and group domain

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Feb 24 19:21:57 GMT 2006


On Fri, Feb 24, 2006 at 11:46:30AM -0600, Gerald (Jerry) Carter wrote:
> * In all configurations default to 513 as the user's primary
>      group in the ansence of a valid gid_to_sid() result in
>      the server's SAM domain).

Ack.

> * standalone, member server, new Samba domain - don't worry
>      about the RID algorithm from 3.0.21.  Just use the S-1-22-X
>      domains

Also ok for standalone and member. We don't have to present
to anyone, so why bother.  In our own token s-1-22-2-gid is
as good as a mapped one.

For a fresh DC we need explicit mappings to RIDs above 1000,
be they automatic or manual.

> * Upgraded pure-blood Samba DC - no persistent mapping.  Just
>      continue to use the use the RID algorithm.  Do not allow
>      manual group mappings above 1000 and do not use a
>      monotonic RID allocation scheme.

We have to cope with situations where the admin has messed
with the group mapping table, we can not rely on nobody
having done explicit mappings above RID 1000.

> * Samba domain migrated from Windows DC - Use existing group
>      mappings (should have been established by the 'net rpc
>      vampire' proicess)..  Unmapped groups are shown in the
>      S-1-22-2 domain.
> 
> This is not so insurmountable.  It allows us to choose and all
> or none solution.

My plan for Samba upgrades would be to run a script that
goes through all users in passdb, gets all its groups from
nss and does an explicit mapping based on the algorithm if
it's not already there. Then we go through all users and
groups, looking for the max RID assigned so far and adapt
the allocator.

This covers both the migrated as well as the pure but
messed-with domains.

For new mappings I would like to see a net subcommand to
take just a unix group, pick a new RID and map it to a
domain group. Alternatively do that step automatically in
pdb_enum_group_memberships if some unmapped groups pops up
from getgroups().

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060224/5e54f100/attachment.bin


More information about the samba-technical mailing list