[Samba] An old winbind syncronization question

Andrew Bartlett abartlet at samba.org
Fri May 9 12:07:45 GMT 2003 

On Fri, 2003-05-09 at 09:42, The Fresh Prince of Darkness wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> First the setup:
> Samba 2.2.3a on Debian testing, built with ACL support on XFS filesystem.

This version has serious security issues, you should run Samba 2.2.8a.  

In particular, the version in debian testing *has not* been patched, (I
understand there are various internal debian reasons for this).  Either
run Samba 3.0 from unstable, or the version from the security archive
for the current stable (2.2.4a-12.1 I think).

> NT4 PDC (Eventually we plan to implement Samba PDC, but that's a ways off.)
> 
> Secondary offsite Samba server, same config as above, rsyncing data 
> directories every 5-minutes over T1.
> 
> Offsite Backup server grabbing data off the live Samba server nightly 
> via rsync.
> 
> We are implementing Winbind on the Samba server and it seems like a 
> dream come true (Single point of Acct Management!!), but I am 
> anticipating 2 problems.
> 
> 1) Samba server dies and secondary server goes live.  Winbind mappings 
> are per machine, so all file ownerships are blown away.  We're not using 
> NFS in our shop, but I suspect this would be a similar problem there. In 
> this case, though only one of these servers is ever live at a time.

This is being worked on - the provision for a centralized idmap - but is
not available in current releases.

> 2) when rebuilding the primary server from the offsite backups, how can 
> I ensure that the winbind mapping is carried over to avoid the same 
> problem as #1?

Back up the winbind_idmap.tdb.  You can get a 'safe' copy with
tdbbackup.

> I researched the list archives and saw mention that this was being 
> worked on back in 2001.  Has any progress been made and I just missed 
> the release?  If syncronization is still impossible, if I dump 
> winbindd_idmap.tdb to my backup server, would restoring that be enough 
> to get everything back to square 1?

As long as you copied the files with the '--numeric-ids' option to rsync
- otherwise the IDs would actually be resolved via getpwnam() to a
different idmap.  Now this might be the right, or the wrong thing
depending on the circumstances.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030509/0fb9fd15/attachment.bin

More information about the samba mailing list