Domain provision, xidNumber and RIDs
medalist at sapo.pt
Fri Jun 17 22:03:44 UTC 2016
The subject of xidNumber and users having different IDs between
different DCs and between DCs and member servers has been (and I fear
will be) the subject of endless and perhaps unnecessary confusion
amongst Samba users.
I am not a programmer but I am certainly (at least somewhat) capable of
logical thinking, so there are some aspects of this matter I would like
to discuss. I am assuming, of course, that someone from the Samba
developer team is willing to listen to an outsider.
The developers of the Samba AD code probably had some strong reasons,
which escape those like me who are not involved in actually doing it, to
do this the way they did, but the truth is that from a common user's
point of view the final result presents itself as an unnecessarily
complicated mess. Viewed from the outside, it looks like Samba already
had all the components in place for a tidier setup but somewhere along
the line things took a "wrong" turn.
At the moment of domain provision, why not obtain the IDs given to users
and groups from a predictable and stable source such as the user's and
group's RIDs instead of that arbitrary and potentially inconsistent
3000000 range that has sparked so much confusion?
-- At domain provision, samba-tool would offer a parameter for the ID
base, with a default of maybe 1000000 (one million), optionally
configurable by the admin -- for example a different base (let's say
2000000, in case of dealing with more than one domain) or a number with
more digits (if a larger number of users is to be expected for a
Using this base, IDs would be directly derived from the RID part of the
SID. With this direct correspondence, Well-Known SIDs would
automatically translate to easily readable and easily relatable UIDs.
-- Provision of additional DCs, as long as the same RID base is used,
would provide the same IDs for all DCs. No need to copy idmap.ldb
between DCs to maintain consistency.
A nice touch would be:
-- If RFC2307 is selected at the time of domain provision
(--use-rfc2307), automatically install the NIS extensions to the AD
schema and fill the corresponding UID and GID fields with the
RID-derived numbers obtained above (with the appropriate exceptions such
as Administrator, of course), as well as a default for user shell and
home, preferably also configurable from samba-tool parameters. These
fields and home+shell would of course be individually editable later for
-- When configuring a member server, in most cases admins would only
have to choose between the RFC2307 and RID backends and parametrize them
properly in smb.conf. Done.
As far as I can see, these measures would provide an almost automatic
configuration, satisfying the needs of the large majority of users while
still leaving room for those who need further customization.
Even though I don't know the intricacies of the relevant code, based on
the little I know I would think that it is not too late to perfect this
issue in upcoming releases of Samba.
This would be a win-win situation: users would not suffer and Samba
developers could concentrate more on what they do best instead of
spending time answering the same questions of users over and over again.
Looking at the samba list, this is perhaps the one issue that has been
causing more confusion to users.
Because it's never enough, once again a big "Thank you" to all the Samba
team for their outstanding work.
More information about the samba-technical