[Samba] idmap & migration to rfc2307

Michael Adam obnox at samba.org
Sat Nov 7 21:29:29 UTC 2015

On 2015-11-07 at 18:54 +0000, Rowland Penny wrote:
> On 07/11/15 18:23, Michael Adam wrote:
> >On 2015-11-07 at 18:00 +0000, Rowland Penny wrote:
> >>On 07/11/15 17:47, Jonathan Hunter wrote:
> >>>On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote:
> >>>>Also, for all I know, the DC always has local unix user and group
> >>>>IDs, and does NOT use the rfc2307 attributes for this. (Unless
> >>>>this has changed recently, but I can't imagine how.) So there is
> >>>>nothing wrong with samba not using the rfc ids on the DC -- this is
> >>>>how it works by design.
> >>>Thanks Michael. I will see if I can use winbind locally instead of
> >>>sssd later this evening, now that I have fully switched to rfc2307
> >>>rather than algorithmic mappings.
> >>>
> >>>One question on this, though - how is file ownership managed on the DC
> >>>from the samba side? I know DCs aren't "supposed" to be used as file
> >>>servers in the samba view of things (which is another story
> >>>altogether), but I can't understand why sometimes the ID mapping comes
> >>>from the rfc2307 attributes and then later on not. The mapping needs
> >>>to be consistent so that any files on disk are owned by the correct
> >>>UID (even if the local DC's Unix system doesn't necessarily know who
> >>>that UID is - that's the job of winbindd / sssd / etc. as I understand
> >>>it) ?
> >>>
> >>>There are a lot of people (including me) who for various reasons
> >>>really, really want to use a single machine as both a DC and a file
> >>>server. Having this work with any sort of consistency in UID mappings
> >>>is proving to be a little bit problematic :)
> >>>
> >>>It's frustrating for me because it works for a while (5 months until
> >>>yesterday) but then something triggers and it doesn't work again...
> >>>
> >>>Cheers
> >>>
> >>>J
> >>>
> >>The problem here is that whilst the uidNumbers & gidNumbers have always been
> >>consistent when used on a DC with winbind (now winbindd), you have never
> >>been able to use per-user home dirs and login shells.
> >>
> >>The user ID problem on DCs  using xidNumbers from idmap.ldb is compounded by
> >>the fact that idmap.ldb can be and usually is different on DCs.
> >>
> >>The only way to get consistent IDs is to use RFC2307 attributes, but as I
> >>said, you cannot use the unixhomedirectory and loginshell attributes on a
> >>DC.
> >That is an interesting point, I'd really like to understand:
> >
> >Unless you want to access the shares also with NFS (e.g.),
> >then why are these consistent IDs important?
> >
> >If looking from windows clients, you don't even see them.
> Can I introduce you to the concept of an all Unix AD domain?

Please do!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151107/b919e5c9/signature.sig>

More information about the samba mailing list