idmap backends, clean slates and the AD DC

Andrew Bartlett abartlet at samba.org
Sat Feb 21 18:18:38 MST 2015 

On Sat, 2015-02-21 at 20:05 +0000, Miguel Medalha wrote:
> I just came to the conclusion that the rid backend has been very much
> underappreciated. Too much mental inertia about how things used to be
> made?
> 
> After strugling for two days to configure a member server against a
> Samba Active Directory  with the ad/RFC2307 backend, I turned to the
> rid backend and voil! all my problems are gone. Having to manually
> edit uids/gids in UNIX Attributes under RSAT does really suck! The
> Administrator account is never correctly mapped and setting
> permissions on the member server becomes a PITA. All kinds of glitches
> become apparent.
> 
> Deterministic conversion from SID to UID rocks! Simple and elegant.
> Everything is working in just a few minutes. Great! More people should
> know about this.
> Just use the same ranges in all your servers and you will have
> consistent IDs in all machines.
> 
> And for really large installations theres the autorid backend!
> 
> How come this is not more widely known? Even the Samba Wiki page about
> the RID backend is empty! 

What I would like to do, if I ever get the time, energy or someone else
does it for me, is to have a rid backend that uses the trustPosixOffset
attribute, and calculates ID values just like AD claims to do for the
never-used POSIX subsystems. 

If we could detect new installs, then clients and the AD DC would use
this new autorid_trustPosixOffset by default, but clients using rfc2307
would also 'just work' (minus the benefits of ID_TYPE_BOTH) as we filled
that in anyway.

Then, have an optional mode in Samba that when we create users, we fill
in the uidNumber value and gidNumber values with whatever the supported
mode on the RID master or PDC emulator AD DC would create (using the
FSMO master so there is only one allocator). 

The big challenge we have in this area is that we have existing
installations that we can't just change the defaults on, and so our
ideal solution isn't the same one we could do if we started from a blank
slate (cue sssd comments here). 

All that said, I do regret that we didn't make the rfc2307 mode the
default in the AD DC prior to 4.0. 

I'm snowed under on so many other things, but if anyone wants to work on
this, do le me know.  Perhaps a good GSoC project?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list