[Samba] idmap & migration to rfc2307

Michael Adam obnox at samba.org
Sat Nov 7 18:23:32 UTC 2015

On 2015-11-07 at 18:00 +0000, Rowland Penny wrote:
> On 07/11/15 17:47, Jonathan Hunter wrote:
> >On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote:
> >>Also, for all I know, the DC always has local unix user and group
> >>IDs, and does NOT use the rfc2307 attributes for this. (Unless
> >>this has changed recently, but I can't imagine how.) So there is
> >>nothing wrong with samba not using the rfc ids on the DC -- this is
> >>how it works by design.
> >Thanks Michael. I will see if I can use winbind locally instead of
> >sssd later this evening, now that I have fully switched to rfc2307
> >rather than algorithmic mappings.
> >
> >One question on this, though - how is file ownership managed on the DC
> >from the samba side? I know DCs aren't "supposed" to be used as file
> >servers in the samba view of things (which is another story
> >altogether), but I can't understand why sometimes the ID mapping comes
> >from the rfc2307 attributes and then later on not. The mapping needs
> >to be consistent so that any files on disk are owned by the correct
> >UID (even if the local DC's Unix system doesn't necessarily know who
> >that UID is - that's the job of winbindd / sssd / etc. as I understand
> >it) ?
> >
> >There are a lot of people (including me) who for various reasons
> >really, really want to use a single machine as both a DC and a file
> >server. Having this work with any sort of consistency in UID mappings
> >is proving to be a little bit problematic :)
> >
> >It's frustrating for me because it works for a while (5 months until
> >yesterday) but then something triggers and it doesn't work again...
> >
> >Cheers
> >
> >J
> >
> The problem here is that whilst the uidNumbers & gidNumbers have always been
> consistent when used on a DC with winbind (now winbindd), you have never
> been able to use per-user home dirs and login shells.
> The user ID problem on DCs  using xidNumbers from idmap.ldb is compounded by
> the fact that idmap.ldb can be and usually is different on DCs.
> The only way to get consistent IDs is to use RFC2307 attributes, but as I
> said, you cannot use the unixhomedirectory and loginshell attributes on a
> DC.

That is an interesting point, I'd really like to understand:

Unless you want to access the shares also with NFS (e.g.),
then why are these consistent IDs important?

If looking from windows clients, you don't even see them.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151107/20dc18b6/signature.sig>

More information about the samba mailing list