[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny241155 at gmail.com
Sat Nov 7 22:20:36 UTC 2015 

On 07/11/15 21:29, Michael Adam wrote:
> On 2015-11-07 at 18:54 +0000, Rowland Penny wrote:
>> On 07/11/15 18:23, Michael Adam wrote:
>>> On 2015-11-07 at 18:00 +0000, Rowland Penny wrote:
>>>> On 07/11/15 17:47, Jonathan Hunter wrote:
>>>>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote:
>>>>>> Also, for all I know, the DC always has local unix user and group
>>>>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless
>>>>>> this has changed recently, but I can't imagine how.) So there is
>>>>>> nothing wrong with samba not using the rfc ids on the DC -- this is
>>>>>> how it works by design.
>>>>> Thanks Michael. I will see if I can use winbind locally instead of
>>>>> sssd later this evening, now that I have fully switched to rfc2307
>>>>> rather than algorithmic mappings.
>>>>>
>>>>> One question on this, though - how is file ownership managed on the DC
>>>> >from the samba side? I know DCs aren't "supposed" to be used as file
>>>>> servers in the samba view of things (which is another story
>>>>> altogether), but I can't understand why sometimes the ID mapping comes
>>>> >from the rfc2307 attributes and then later on not. The mapping needs
>>>>> to be consistent so that any files on disk are owned by the correct
>>>>> UID (even if the local DC's Unix system doesn't necessarily know who
>>>>> that UID is - that's the job of winbindd / sssd / etc. as I understand
>>>>> it) ?
>>>>>
>>>>> There are a lot of people (including me) who for various reasons
>>>>> really, really want to use a single machine as both a DC and a file
>>>>> server. Having this work with any sort of consistency in UID mappings
>>>>> is proving to be a little bit problematic :)
>>>>>
>>>>> It's frustrating for me because it works for a while (5 months until
>>>>> yesterday) but then something triggers and it doesn't work again...
>>>>>
>>>>> Cheers
>>>>>
>>>>> J
>>>>>
>>>> The problem here is that whilst the uidNumbers & gidNumbers have always been
>>>> consistent when used on a DC with winbind (now winbindd), you have never
>>>> been able to use per-user home dirs and login shells.
>>>>
>>>> The user ID problem on DCs  using xidNumbers from idmap.ldb is compounded by
>>>> the fact that idmap.ldb can be and usually is different on DCs.
>>>>
>>>> The only way to get consistent IDs is to use RFC2307 attributes, but as I
>>>> said, you cannot use the unixhomedirectory and loginshell attributes on a
>>>> DC.
>>> That is an interesting point, I'd really like to understand:
>>>
>>> Unless you want to access the shares also with NFS (e.g.),
>>> then why are these consistent IDs important?
>>>
>>> If looking from windows clients, you don't even see them.
>> Can I introduce you to the concept of an all Unix AD domain?
> Please do!
>
> Michael

I would have thought it was fairly obvious, an AD domain without *any* 
windows machines. For this you would need the RFC2307 attributes, 
something that doesn't happen on the DC at present.

I know that AD was a microsoft invention, but this doesn't make it a bad 
idea :-) and whilst Samba needs to be compatible with microsoft AD, 
there is no reason why it cannot build on it for a Unix AD domain, or to 
put it another way, SSO for Unix. There does not seem to be any sense in 
avoiding the license fees involved with a windows AD DC if you are also 
paying for the windows OS.

Rowland

More information about the samba mailing list