[Samba] An old winbind syncronization question
Andrew Bartlett
abartlet at samba.org
Fri May 9 12:07:45 GMT 2003
On Fri, 2003-05-09 at 09:42, The Fresh Prince of Darkness wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> First the setup:
> Samba 2.2.3a on Debian testing, built with ACL support on XFS filesystem.
This version has serious security issues, you should run Samba 2.2.8a.
In particular, the version in debian testing *has not* been patched, (I
understand there are various internal debian reasons for this). Either
run Samba 3.0 from unstable, or the version from the security archive
for the current stable (2.2.4a-12.1 I think).
> NT4 PDC (Eventually we plan to implement Samba PDC, but that's a ways off.)
>
> Secondary offsite Samba server, same config as above, rsyncing data
> directories every 5-minutes over T1.
>
> Offsite Backup server grabbing data off the live Samba server nightly
> via rsync.
>
> We are implementing Winbind on the Samba server and it seems like a
> dream come true (Single point of Acct Management!!), but I am
> anticipating 2 problems.
>
> 1) Samba server dies and secondary server goes live. Winbind mappings
> are per machine, so all file ownerships are blown away. We're not using
> NFS in our shop, but I suspect this would be a similar problem there. In
> this case, though only one of these servers is ever live at a time.
This is being worked on - the provision for a centralized idmap - but is
not available in current releases.
> 2) when rebuilding the primary server from the offsite backups, how can
> I ensure that the winbind mapping is carried over to avoid the same
> problem as #1?
Back up the winbind_idmap.tdb. You can get a 'safe' copy with
tdbbackup.
> I researched the list archives and saw mention that this was being
> worked on back in 2001. Has any progress been made and I just missed
> the release? If syncronization is still impossible, if I dump
> winbindd_idmap.tdb to my backup server, would restoring that be enough
> to get everything back to square 1?
As long as you copied the files with the '--numeric-ids' option to rsync
- otherwise the IDs would actually be resolved via getpwnam() to a
different idmap. Now this might be the right, or the wrong thing
depending on the circumstances.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030509/0fb9fd15/attachment.bin
More information about the samba
mailing list