[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny241155 at gmail.com
Sat Nov 7 18:00:11 UTC 2015 

On 07/11/15 17:47, Jonathan Hunter wrote:
> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote:
>> Also, for all I know, the DC always has local unix user and group
>> IDs, and does NOT use the rfc2307 attributes for this. (Unless
>> this has changed recently, but I can't imagine how.) So there is
>> nothing wrong with samba not using the rfc ids on the DC -- this is
>> how it works by design.
> Thanks Michael. I will see if I can use winbind locally instead of
> sssd later this evening, now that I have fully switched to rfc2307
> rather than algorithmic mappings.
>
> One question on this, though - how is file ownership managed on the DC
> from the samba side? I know DCs aren't "supposed" to be used as file
> servers in the samba view of things (which is another story
> altogether), but I can't understand why sometimes the ID mapping comes
> from the rfc2307 attributes and then later on not. The mapping needs
> to be consistent so that any files on disk are owned by the correct
> UID (even if the local DC's Unix system doesn't necessarily know who
> that UID is - that's the job of winbindd / sssd / etc. as I understand
> it) ?
>
> There are a lot of people (including me) who for various reasons
> really, really want to use a single machine as both a DC and a file
> server. Having this work with any sort of consistency in UID mappings
> is proving to be a little bit problematic :)
>
> It's frustrating for me because it works for a while (5 months until
> yesterday) but then something triggers and it doesn't work again...
>
> Cheers
>
> J
>

The problem here is that whilst the uidNumbers & gidNumbers have always 
been consistent when used on a DC with winbind (now winbindd), you have 
never been able to use per-user home dirs and login shells.

The user ID problem on DCs  using xidNumbers from idmap.ldb is 
compounded by the fact that idmap.ldb can be and usually is different on 
DCs.

The only way to get consistent IDs is to use RFC2307 attributes, but as 
I said, you cannot use the unixhomedirectory and loginshell attributes 
on a DC.

Rowland

More information about the samba mailing list