idmap backends, clean slates and the AD DC
Stefan (metze) Metzmacher
metze at samba.org
Tue Mar 3 05:54:51 MST 2015
Am 22.02.2015 um 02:18 schrieb Andrew Bartlett:
> On Sat, 2015-02-21 at 20:05 +0000, Miguel Medalha wrote:
>> I just came to the conclusion that the rid backend has been very much
>> underappreciated. Too much mental inertia about how things used to be
>> After strugling for two days to configure a member server against a
>> Samba Active Directory with the ad/RFC2307 backend, I turned to the
>> rid backend and voil! all my problems are gone. Having to manually
>> edit uids/gids in UNIX Attributes under RSAT does really suck! The
>> Administrator account is never correctly mapped and setting
>> permissions on the member server becomes a PITA. All kinds of glitches
>> become apparent.
>> Deterministic conversion from SID to UID rocks! Simple and elegant.
>> Everything is working in just a few minutes. Great! More people should
>> know about this.
>> Just use the same ranges in all your servers and you will have
>> consistent IDs in all machines.
>> And for really large installations theres the autorid backend!
>> How come this is not more widely known? Even the Samba Wiki page about
>> the RID backend is empty!
> What I would like to do, if I ever get the time, energy or someone else
> does it for me, is to have a rid backend that uses the trustPosixOffset
> attribute, and calculates ID values just like AD claims to do for the
> never-used POSIX subsystems.
The sad thing is that this can't work, because it doesn't handle
What we really need are autorid backends with a global storage, one for AD
and one for LDAP.
> If we could detect new installs, then clients and the AD DC would use
> this new autorid_trustPosixOffset by default, but clients using rfc2307
> would also 'just work' (minus the benefits of ID_TYPE_BOTH) as we filled
> that in anyway.
> Then, have an optional mode in Samba that when we create users, we fill
> in the uidNumber value and gidNumber values with whatever the supported
> mode on the RID master or PDC emulator AD DC would create (using the
> FSMO master so there is only one allocator).
> The big challenge we have in this area is that we have existing
> installations that we can't just change the defaults on, and so our
> ideal solution isn't the same one we could do if we started from a blank
> slate (cue sssd comments here).
> All that said, I do regret that we didn't make the rfc2307 mode the
> default in the AD DC prior to 4.0.
I'd really like to avoid spreading rfc2307 as much as possible...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the samba-technical