[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny241155 at gmail.com
Sat Nov 7 18:54:21 UTC 2015

On 07/11/15 18:23, Michael Adam wrote:
> On 2015-11-07 at 18:00 +0000, Rowland Penny wrote:
>> On 07/11/15 17:47, Jonathan Hunter wrote:
>>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote:
>>>> Also, for all I know, the DC always has local unix user and group
>>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless
>>>> this has changed recently, but I can't imagine how.) So there is
>>>> nothing wrong with samba not using the rfc ids on the DC -- this is
>>>> how it works by design.
>>> Thanks Michael. I will see if I can use winbind locally instead of
>>> sssd later this evening, now that I have fully switched to rfc2307
>>> rather than algorithmic mappings.
>>> One question on this, though - how is file ownership managed on the DC
>> >from the samba side? I know DCs aren't "supposed" to be used as file
>>> servers in the samba view of things (which is another story
>>> altogether), but I can't understand why sometimes the ID mapping comes
>> >from the rfc2307 attributes and then later on not. The mapping needs
>>> to be consistent so that any files on disk are owned by the correct
>>> UID (even if the local DC's Unix system doesn't necessarily know who
>>> that UID is - that's the job of winbindd / sssd / etc. as I understand
>>> it) ?
>>> There are a lot of people (including me) who for various reasons
>>> really, really want to use a single machine as both a DC and a file
>>> server. Having this work with any sort of consistency in UID mappings
>>> is proving to be a little bit problematic :)
>>> It's frustrating for me because it works for a while (5 months until
>>> yesterday) but then something triggers and it doesn't work again...
>>> Cheers
>>> J
>> The problem here is that whilst the uidNumbers & gidNumbers have always been
>> consistent when used on a DC with winbind (now winbindd), you have never
>> been able to use per-user home dirs and login shells.
>> The user ID problem on DCs  using xidNumbers from idmap.ldb is compounded by
>> the fact that idmap.ldb can be and usually is different on DCs.
>> The only way to get consistent IDs is to use RFC2307 attributes, but as I
>> said, you cannot use the unixhomedirectory and loginshell attributes on a
>> DC.
> That is an interesting point, I'd really like to understand:
> Unless you want to access the shares also with NFS (e.g.),
> then why are these consistent IDs important?
> If looking from windows clients, you don't even see them.
> Cheers - Michael

Can I introduce you to the concept of an all Unix AD domain?


More information about the samba mailing list