Recent changes to autorid (was Re: [SCM] Samba Shared Repository - branch master updated)

Tue Apr 29 11:02:01 MDT 2014

On Tue, 2014-04-29 at 13:09 +0200, Michael Adam wrote:
> On 2014-04-29 at 10:14 +0100, Rowland Penny wrote:
> > On 29/04/14 10:08, Michael Adam wrote:
> > >Hi Rowland,
> > >
> > >while your input is highly appreciated,
> > >I think it does not quite fit here, since
> > >the ID-Mapping we are talking about in this
> > >thread is the source3-winbindd's id mapping,
> > >which is not (yet!) the id mapping that is
> > >done on the DC.
> > >
> > >Cheers - Michael
> > >
> > >>Hi, can I add my 2p's worth here, there is a thread on the samba
> > >>list at the moment about builtin's not mapping on the DC. The
> > >>problem seems to be that when you rsync sysvol to another DC, you
> > >>get the xidNumbers from the original DC on the client DC and these
> > >>xidNumbers are different from the ones that the client DC uses.
> > >>
> > >>Because of this, GPO's do not work correctly, or not at all, so, I
> > >>think that (IMHO) something needs to be done about this.
> > >>
> > Hi Michael, Jeremy was proposing that the well know SID's should be
> > hard-coded, I was just pointing out a reason why they should be.
> > What is the point in having another DC, if, when you rsync sysvol to
> > it (the only way at the moment), you cannot use it because the ACL's
> > are wrong ??
> 
> I understand what you are talking about.  But in insisting on
> this aspect, you are still hijacking this thread, since it
> is not about the DC. :-)

No, Rowland is not hijacking anything, he made a perfectly relevant and
forward looking commnet. And that is using fixed mappings for these SIDs
is something we need anyway for the DC case, so we might as well factor
it in here, as we are going to need to handle that case too.

> (Once the project to use bin/winbindd in bin/samba
> instead of bin/samba's built in winbind component is
> completed, the DC can benefit from the things we are
> discussing here.)
> 
> That being said, it would of course be desirable to also
> have deterministic mappings on the DC.

For wellknown SID it certainly does, might as well, do something about
it now.

> But on the other hand, how it should actually also work without
> having the same id mappings is this:
> 
> 1. use "file winbind" in /etc/nsswitch.conf for passwd and group
> 2. _not_ use --numeric-ids with rsync !

This is certainly good advice, but doesn't it break down for special
SIDs that are neither users nor groups ?

> The problem why this currently does not work
> is that the builtin and wellknown are not treated
> properly via nsswitch. I.e. while we do  gid <-> sid and sid <-> name
> correctly for builtins, we don't do getgrgid.
> (Maybe to implement this would provide a faster solution
> than the complete substitution of winbind, wich we want and
> need to do anyways.)

/me nods.

Simo.