Recent changes to autorid (was Re: [SCM] Samba Shared Repository - branch master updated)

Michael Adam obnox at samba.org
Tue Apr 29 05:09:34 MDT 2014 

On 2014-04-29 at 10:14 +0100, Rowland Penny wrote:
> On 29/04/14 10:08, Michael Adam wrote:
> >Hi Rowland,
> >
> >while your input is highly appreciated,
> >I think it does not quite fit here, since
> >the ID-Mapping we are talking about in this
> >thread is the source3-winbindd's id mapping,
> >which is not (yet!) the id mapping that is
> >done on the DC.
> >
> >Cheers - Michael
> >
> >>Hi, can I add my 2p's worth here, there is a thread on the samba
> >>list at the moment about builtin's not mapping on the DC. The
> >>problem seems to be that when you rsync sysvol to another DC, you
> >>get the xidNumbers from the original DC on the client DC and these
> >>xidNumbers are different from the ones that the client DC uses.
> >>
> >>Because of this, GPO's do not work correctly, or not at all, so, I
> >>think that (IMHO) something needs to be done about this.
> >>
> Hi Michael, Jeremy was proposing that the well know SID's should be
> hard-coded, I was just pointing out a reason why they should be.
> What is the point in having another DC, if, when you rsync sysvol to
> it (the only way at the moment), you cannot use it because the ACL's
> are wrong ??

I understand what you are talking about.  But in insisting on
this aspect, you are still hijacking this thread, since it
is not about the DC. :-)

(Once the project to use bin/winbindd in bin/samba
instead of bin/samba's built in winbind component is
completed, the DC can benefit from the things we are
discussing here.)

That being said, it would of course be desirable to also
have deterministic mappings on the DC.

But on the other hand, how it should actually also work without
having the same id mappings is this:

1. use "file winbind" in /etc/nsswitch.conf for passwd and group
2. _not_ use --numeric-ids with rsync !

The problem why this currently does not work
is that the builtin and wellknown are not treated
properly via nsswitch. I.e. while we do  gid <-> sid and sid <-> name
correctly for builtins, we don't do getgrgid.
(Maybe to implement this would provide a faster solution
than the complete substitution of winbind, wich we want and
need to do anyways.)

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140429/bb77f071/attachment.pgp>

More information about the samba-technical mailing list