[Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID mappingweirdness :(

[Andrew Smith-MAGAZINES]

I also need to get centralised mapping configured if I am to deploy Samba, although we're planning to deploy an LDAP server also so this isn't an additional overhead for me.

Two comments, to avoid the additional overhead of implementing a seperate LDAP infrastructure could future versions of Samba support storing the idmap mapping date in Active Directory?
When using idmap = ldap in the current release of Samba 3 there doesn't appear to be any option for specifying a bind account, does this mean I have to allow anonymous write access to my LDAP server(s)?

thanks Andy Smith.

PS can you specify multiple idmap backend = ldap:.. servers? or is this a single point of failure?

-----Original Message-----
From: samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org
[mailto:samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org]On Behalf Of
John H Terpstra
Posted At: 22 October 2003 23:43
Posted To: Samba
Conversation: [Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID
mappingweirdness :( 
Subject: Re: [Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID
mappingweirdness :( 


On Wed, 22 Oct 2003, Eric Horst wrote:

>
> > > By "consistent and simple" I mean,  something like -- "you have a
> > > Windows user that needs to get to a Samba share? Create a UNIX account
> > > with the *same name* and you will get an smbd process with the UID and
> > > hence the permissions of that user accessing the files on the server
> > > (ok not always). The authentication will be done on the NT side though".
> >
> > Nope. You should use winbind for that. Any other way will cause you
> > problems when you try to use ACLs.
>
>
> I think I understand at least a part of Anton's issue.  It's one that I've
> been thinking about as we deploy Samba 3.0.  We never really thought much
> about ACLs until now and have never run winbindd.  The problem boils down
> to this:  We currently have a group of seven Samba/NFS file servers which
> are members of a Windows domain.  The Windows usernames and group names
> are synchronized.  The numeric UIDs and GIDs are uniform across all of
> them by virtue of the fact that they have a common /etc/passwd.  We want
> to jump on the ACL bandwagon and do things right using winbindd.
> However, in a distributed environment the official way of mapping SIDs to
> UIDs consistently across the servers involves an 'idmap backend'.  All of
> the idmap backends involve ldap.  It is frustrating that I have to
> introduce the overhead of deploying an LDAP server and populate it with
> UID mappings even though the file servers already have an /etc/passwd
> which has enough information to map numeric Unix UIDs consistently.
>
> I know idmap'ing was a hot topic during development so you have probably
> already considered all of this.  At the time, watching the discussion I
> didn't follow it all but now starting to consider deployment the issues
> are becoming clearer.

Equally, the real issues, where the rubber meets the road, are becoming
clearer also. We anticipated these concerns correctly. I am glad we have
only a simple problem today. It could have been much more challenging.

We are now at a point where if the current limitations are too restrictive
we must know that very soon. I do not know if this can be changed for
3.0.1 (Jeremy will have to weigh in on that), but if the case is strong
enough it may be addressed for 3.0.2 (even that depends on what sort of
ground-swell there is for a change).

So here is my take: If this is a big show stopper issue please file a bug
report on https://bugzilla.samba.org. Please, if this is NOT a
show-stopper, then let's not pressure the developers too hashly - we pay
them peanuts and expect them to work night and day already! :)

- John T.
-- 
John H Terpstra
Email: jht at samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.