[Samba] Mixed Samba4 and 3.6 uids/gids

[Rowland Penny]

On 22/12/14 21:35, William Ross wrote:
> On 22/12/14 19:04, Rowland Penny wrote:
>> On 22/12/14 17:22, Denis Cardon wrote:
>>> Hi William,
>>>
>>>> I have an AD domain (Samba 4.1.13 domain controllers) and some Samba
>>>> 3.6 clients.
>>>> I would like the uid/gid mappings to be consistent across the two
>>>> sets of machines.
>>> By the way, samba 3.6 is going end of life pretty soon (see the recent
>>> 4.2RC3 release notes), you should upgrade your 3.6 domain members to
>>> samba4 too.
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>> Hi, what you are saying Denis is true as far as it goes, but the OP also
> needs to add the
>> required RFC2307 attributes (uidNumber, gidNumber) to the user & group
> objects.
>> Rowland
> Does upgrading the member servers to Samba 4 mean they can share the uid/gid
> mapping the
> Samba 4 DCs are currently using?

Samba 4 is just the next version after 3.6.x and as such works pretty 
much like 3.6.x (though there are slight parameter differences).
I am pretty sure that there is no way to get the same ID numbers on 
member servers as on the DC without using RFC2307 attributes

>
> According to https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> I would still
> need to use:
>
> idmap config DOMAIN : backend = ad
>
> for a member server even under Samba 4. Which would mean I would need to
> populate the
> uid/gid attributes within AD.
> At present, presumably my Samba4 DCs are storing a mapping in the .ldb/.tdb
> files in
> /usr/local/samba/private (hidden from AD). Is there no way to use the same
> mapping on a
> member server?

No, the real reason for idmap.ldb is to store ID's for the BUILTIN well 
known SID's, it also maps users & groups as well, this setup is not used 
on member servers.

You could do what the Samba wiki advises, only use the DC for 
authentication.

Rowland


>