[Samba] Samba 4 Consistent uid gid mapping across servers.

Sat Oct 19 01:58:39 MDT 2013

On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
> I have 3 Samba 4 Domain Controllers and 1 Member server, been running in 
> production for almost a year and very pleased with the results so far.
> 
> I have winbind installed and working on all of my servers and I am also 
> quite happy with that as well, except that the inconsistent uid and gid 
> mapping is starting to cause some problems for me.
> 
> I have done a fair bit of research and I think I would like to try 
> implementing rfc2307 and using using nss_pam_ldap.

My I recommend instead nslcd/nss-ldapd or, even better, sssd? The latter
now has a superb ad backend.
> 
> I am pretty comfortable with setting that up.
> 
> My question is, that since I did not specify rfc2307 when I originally 
> provisioned the domain what is going to be the effect if I try to use it 
> after the fact.

No problem. You can use the full set of rfc2307 attributes perfectly
well without it.
> 
> First does the schema need to be extended, or is it already present and 
> just needs to be activated by adding the rfc2307 options to my existing 
> smb.conf, and then restart.

It is already present in the 2008R2 schema that is shipped out of the
box with Samba.

>      If not what is the best way to extend it, can I do it from my 
> windows server 2003 by adding the "Identity Management for UNIX" role?
>      Or are then other tools to accomplish this. I am using the internal 
> DNS for Samba.
> 
> Second assuming I can get it extended and working, I am assuming that I 
> will have to manually update existing unix objects that are already 
> owned by the old random uid and gid to the new values.

Yes. You will need to add any rfc2307 attrs you wish to include along
with the other details under the DN of te user or group.

>      Creating a script for this should not be that big of a problem 
> since the majority of my users are not actually logging into the Linux 
> machines.

Not a big deal. You can use wbinfo -i to pull the info fr uidNumber and
gidNumber and ldbmodify. But be warned: do this on a _single_ DC and
add:
idmap_ldb use:rfc2307 = Yes
to smb.conf to all your DC's afterwards.
Give the other DC's plenty of time to replicate after you run your
script. Don't forget to change to idmap config ad on the file servers
too.

>      So for the most part it will just be folders and files.
>      I already have a script for setting and re-setting permissions 
> based on the info retrieved from winbind.
> 
> What do you think?
> 
Great idea. Storing all the attributes for all objects in a single place
is most certainly better than separation just some of the attributes
elsewhere n another database. Keep it simple.

Good luck,
Steve