Recent changes to autorid (was Re: [SCM] Samba Shared Repository - branch master updated)

Rowland Penny repenny241155 at
Tue Apr 29 11:15:19 MDT 2014

On 29/04/14 18:02, Simo wrote:
> On Tue, 2014-04-29 at 13:09 +0200, Michael Adam wrote:
>> On 2014-04-29 at 10:14 +0100, Rowland Penny wrote:
>>> On 29/04/14 10:08, Michael Adam wrote:
>>>> Hi Rowland,
>>>> while your input is highly appreciated,
>>>> I think it does not quite fit here, since
>>>> the ID-Mapping we are talking about in this
>>>> thread is the source3-winbindd's id mapping,
>>>> which is not (yet!) the id mapping that is
>>>> done on the DC.
>>>> Cheers - Michael
>>>>> Hi, can I add my 2p's worth here, there is a thread on the samba
>>>>> list at the moment about builtin's not mapping on the DC. The
>>>>> problem seems to be that when you rsync sysvol to another DC, you
>>>>> get the xidNumbers from the original DC on the client DC and these
>>>>> xidNumbers are different from the ones that the client DC uses.
>>>>> Because of this, GPO's do not work correctly, or not at all, so, I
>>>>> think that (IMHO) something needs to be done about this.
>>> Hi Michael, Jeremy was proposing that the well know SID's should be
>>> hard-coded, I was just pointing out a reason why they should be.
>>> What is the point in having another DC, if, when you rsync sysvol to
>>> it (the only way at the moment), you cannot use it because the ACL's
>>> are wrong ??
>> I understand what you are talking about.  But in insisting on
>> this aspect, you are still hijacking this thread, since it
>> is not about the DC. :-)
> No, Rowland is not hijacking anything, he made a perfectly relevant and
> forward looking commnet. And that is using fixed mappings for these SIDs
> is something we need anyway for the DC case, so we might as well factor
> it in here, as we are going to need to handle that case too.
Thanks Simo, I was basing my comments on what I found here:

under the 'Summary' heading:

'Well-known SIDs are a group of SIDs that identify generic users or 
generic groups. Their values remain constant across all operating systems.'

Does Linux qualify as an operating system ;-)

I only ask this because, at the moment, the above statement is not true 
for Linux.

>> (Once the project to use bin/winbindd in bin/samba
>> instead of bin/samba's built in winbind component is
>> completed, the DC can benefit from the things we are
>> discussing here.)
>> That being said, it would of course be desirable to also
>> have deterministic mappings on the DC.
> For wellknown SID it certainly does, might as well, do something about
> it now.
>> But on the other hand, how it should actually also work without
>> having the same id mappings is this:
>> 1. use "file winbind" in /etc/nsswitch.conf for passwd and group
>> 2. _not_ use --numeric-ids with rsync !
> This is certainly good advice, but doesn't it break down for special
> SIDs that are neither users nor groups ?
>> The problem why this currently does not work
>> is that the builtin and wellknown are not treated
>> properly via nsswitch. I.e. while we do  gid <-> sid and sid <-> name
>> correctly for builtins, we don't do getgrgid.
>> (Maybe to implement this would provide a faster solution
>> than the complete substitution of winbind, wich we want and
>> need to do anyways.)
> /me nods.
> Simo.

More information about the samba-technical mailing list