[Samba] An old winbind syncronization question

Andrew Bartlett abartlet at samba.org
Fri May 9 12:07:45 GMT 2003

On Fri, 2003-05-09 at 09:42, The Fresh Prince of Darkness wrote:
> Hash: SHA1
> First the setup:
> Samba 2.2.3a on Debian testing, built with ACL support on XFS filesystem.

This version has serious security issues, you should run Samba 2.2.8a.  

In particular, the version in debian testing *has not* been patched, (I
understand there are various internal debian reasons for this).  Either
run Samba 3.0 from unstable, or the version from the security archive
for the current stable (2.2.4a-12.1 I think).

> NT4 PDC (Eventually we plan to implement Samba PDC, but that's a ways off.)
> Secondary offsite Samba server, same config as above, rsyncing data 
> directories every 5-minutes over T1.
> Offsite Backup server grabbing data off the live Samba server nightly 
> via rsync.
> We are implementing Winbind on the Samba server and it seems like a 
> dream come true (Single point of Acct Management!!), but I am 
> anticipating 2 problems.
> 1) Samba server dies and secondary server goes live.  Winbind mappings 
> are per machine, so all file ownerships are blown away.  We're not using 
> NFS in our shop, but I suspect this would be a similar problem there. In 
> this case, though only one of these servers is ever live at a time.

This is being worked on - the provision for a centralized idmap - but is
not available in current releases.

> 2) when rebuilding the primary server from the offsite backups, how can 
> I ensure that the winbind mapping is carried over to avoid the same 
> problem as #1?

Back up the winbind_idmap.tdb.  You can get a 'safe' copy with

> I researched the list archives and saw mention that this was being 
> worked on back in 2001.  Has any progress been made and I just missed 
> the release?  If syncronization is still impossible, if I dump 
> winbindd_idmap.tdb to my backup server, would restoring that be enough 
> to get everything back to square 1?

As long as you copied the files with the '--numeric-ids' option to rsync
- otherwise the IDs would actually be resolved via getpwnam() to a
different idmap.  Now this might be the right, or the wrong thing
depending on the circumstances.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030509/0fb9fd15/attachment.bin

More information about the samba mailing list