[Samba] idmap & migration to rfc2307

Michael Adam obnox at samba.org
Sat Nov 7 23:28:03 UTC 2015 

On 2015-11-07 at 22:20 +0000, Rowland Penny wrote:
> On 07/11/15 21:29, Michael Adam wrote:
> >On 2015-11-07 at 18:54 +0000, Rowland Penny wrote:
> >>On 07/11/15 18:23, Michael Adam wrote:
> >>>On 2015-11-07 at 18:00 +0000, Rowland Penny wrote:
> >>>>The problem here is that whilst the uidNumbers & gidNumbers
> >>>>have always been consistent when used on a DC with winbind
> >>>>(now winbindd), you have never been able to use per-user
> >>>>home dirs and login shells.
> >>>>
> >>>>The user ID problem on DCs  using xidNumbers from idmap.ldb
> >>>>is compounded by the fact that idmap.ldb can be and usually
> >>>>is different on DCs.
> >>>>
> >>>>The only way to get consistent IDs is to use RFC2307
> >>>>attributes, but as I said, you cannot use the
> >>>>unixhomedirectory and loginshell attributes on a DC.
> >>>
> >>>That is an interesting point, I'd really like to understand:
> >>>
> >>>Unless you want to access the shares also with NFS (e.g.),
> >>>then why are these consistent IDs important?
> >>>
> >>>If looking from windows clients, you don't even see them.
> >>
> >>Can I introduce you to the concept of an all Unix AD domain?
> >
> >Please do!
> 
> I would have thought it was fairly obvious, an AD domain
> without *any* windows machines.

A-ha!

> For this you would need the RFC2307 attributes, something that
> doesn't happen on the DC at present.

Ok, why do you strictly need it?
I understand that it gives you a better feeling,
and it may be convenient but which scenario really
requires it? Most important is the central auth db.
If the IDs on the various DCs and members in the
domain do not have the same sets of unix IDs, then
nevertheless
- local login will work.
- ssh login will work.
- rsync will work if not using --numeric-ids.
- cifs mount will work.
What else does one need that would _require_
identical ids?

All member servers could even have the same
IDs by rfc attributes (or an ldap or rid idmap config).

> I know that AD was a microsoft invention, but this doesn't make
> it a bad idea :-) and whilst Samba needs to be compatible with
> microsoft AD, there is no reason why it cannot build on it for
> a Unix AD domain, or to put it another way, SSO for Unix.

No problem at all with that!
Just was a little dense initially... ;-)

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151108/ab8879de/signature.sig>

More information about the samba mailing list