Domain provision, xidNumber and RIDs

Miguel Medalha medalist at
Fri Jun 17 22:03:44 UTC 2016

The subject of xidNumber and users having different IDs between 
different DCs and between DCs and member servers has been (and I fear 
will be) the subject of endless and perhaps unnecessary confusion 
amongst Samba users.

I am not a programmer but I am certainly (at least somewhat) capable of 
logical thinking, so there are some aspects of this matter I would like 
to discuss. I am assuming, of course, that someone from the Samba 
developer team is willing to listen to an outsider.

The developers of the Samba AD code probably had some strong reasons, 
which escape those like me who are not involved in actually doing it, to 
do this the way they did, but the truth is that from a common user's 
point of view the final result presents itself as an unnecessarily 
complicated mess. Viewed from the outside, it looks like Samba already 
had all the components in place for a tidier setup but somewhere along 
the line things took a "wrong" turn.

At the moment of domain provision, why not obtain the IDs given to users 
and groups from a predictable and stable source such as the user's and 
group's RIDs instead of that arbitrary and potentially inconsistent 
3000000 range that has sparked so much confusion?

-- At domain provision, samba-tool would offer a parameter for the ID 
base, with a default of maybe 1000000 (one million), optionally 
configurable by the admin -- for example a different base (let's say 
2000000, in case of dealing with more than one domain) or a number with 
more digits (if a larger number of users is to be expected for a 
particular domain).

Using this base, IDs would be directly derived from the RID part of the 
SID. With this direct correspondence, Well-Known SIDs would 
automatically translate to easily readable and easily relatable UIDs.

-- Provision of additional DCs, as long as the same RID base is used, 
would provide the same IDs for all DCs. No need to copy idmap.ldb 
between DCs to maintain consistency.

A nice touch would be:

-- If RFC2307 is selected at the time of domain provision 
(--use-rfc2307), automatically install the NIS extensions to the AD 
schema and fill the corresponding UID and GID fields with the 
RID-derived numbers obtained above (with the appropriate exceptions such 
as Administrator, of course), as well as a default for user shell and 
home, preferably also configurable from samba-tool parameters. These 
fields and home+shell would of course be individually editable later for 
custom purposes.

-- When configuring a member server, in most cases admins would only 
have to choose between the RFC2307 and RID backends and parametrize them 
properly in smb.conf. Done.

As far as I can see, these measures would provide an almost automatic 
configuration, satisfying the needs of the large majority of users while 
still leaving room for those who need further customization.

Even though I don't know the intricacies of the relevant code, based on 
the little I know I would think that it is not too late to perfect this 
issue in upcoming releases of Samba.

This would be a win-win situation: users would not suffer and Samba 
developers could concentrate more on what they do best instead of 
spending time answering the same questions of users over and over again. 
Looking at the samba list, this is perhaps the one issue that has been 
causing more confusion to users.

Because it's never enough, once again a big "Thank you" to all the Samba 
team for their outstanding work.

More information about the samba-technical mailing list