[Samba] idmap & migration to rfc2307

Michael Adam obnox at samba.org
Sun Nov 8 10:49:17 UTC 2015 

On 2015-11-08 at 09:29 +0000, Rowland Penny wrote:
> On 07/11/15 23:28, Michael Adam wrote:
> >rsync will work if not using --numeric-ids.
> 
> OK, I know that logins will work on all the samba machines, but I am not
> sure what you say about rsync is correct, this is what 'man rsync' has to
> say about '--numeric-ids':
> 
> --numeric-ids           don't map uid/gid values by user/group name
> 
> So by my reading, if you don't use it, your uid/gids are mapped to the
> user/group and if you do, they aren't.

This is how it works in rsync:
- If you don't use --numeric-ids, then rsync will transfer names
  and let sending and receiving side each do its own name<->id
  translation. This is to be chosen if users/groups of the same
  name are present on each side, but not necessarily with the
  same IDs.
- Using --numeric-ids instead, the numerical IDs are transferred.
  This is potentially slightly cheaper, and it will also create
  perms/acls for users/groups that do not need to exist on the
  receiving side.
My warning was just that --numeric-ids can not be used in
the case when we do not have identical unix ids on the various
involved servers in the unix domain.

> From the problems that arose with
> trying to rsync Sysvol (yes I know this is useless on a Unix machine) where
> the xidNumbers are usually different from DC to DC, I am fairly sure this
> isn't going to work,

I don't know what problems these were.
I have always used rsync to replicate the sysvol.
And always used local xids. But being mainly a
file-server guy, I have also not managed many Samba
AD/DC environments. So I am really more than willing
to learn from others' experience here.

> the cure is to have the same idmap.ldb on all DCs.

The conceptual failure with sysvol is that we don't support
the AD protocol replication (FRS or DFSR) yet. Only therefore,
we need the band-aid of replicating under the hood with unix
file system level tools like rsync. I think that problems with
sysvol synchronization rather originate in this circumstance
than in the use of rsync w/o identical ids on both side.
But I may be missing something...

> There is also the problem of when a user creates a tarball on one machine
> and then copies it to another and unpacks it, they may find that all the
> files no longer belong to them.
> 
> If you log into *any* windows domain machine, you will get the same SID-RID,
> why should Unix be any different?

Because the windows sids are by design worldwide unique, while
the unix pattern is to use the same unix id space on each machine
and fill it individually.

I completely agree that it may be nice to have it.
But the real solution would be to have sid-like
unix IDs in the linux kernel.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151108/75b7b6e7/signature.sig>

More information about the samba mailing list