[Samba] idmap & migration to rfc2307

Jonathan Hunter jmhunter1 at gmail.com
Sun Nov 8 11:08:52 UTC 2015 

Hi,

On 8 November 2015 at 10:49, Michael Adam <obnox at samba.org> wrote:
> This is how it works in rsync:
[...]
> I have always used rsync to replicate the sysvol.
> And always used local xids. But being mainly a
> file-server guy, I have also not managed many Samba
> AD/DC environments. So I am really more than willing
> to learn from others' experience here.

This is the major area I have had problems with in the past, same as
Rowland and many others I expect.

I should probably look into it in a little more detail to be honest;
last time I tried it it was a little bit of a black art but I ended up
fixing it by a combination of
- switching to rfc2307
- allocating all groups and users a GID/UID, including the 'BUILTIN' ones
- copying idmap.ldb between my DCs

Despite all this, I still have files owned by 'raw' UIDs on my DCs
(these map to 'BUILTIN\Authenticated Users' and 'BUILTIN\Local
System') e.g.

[root at dc ~# getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: administrators
user::rwx
user:root:rwx
user:3000013:r-x
user:3000140:rwx
[...]
[root at dc ~]# net cache list | egrep "(0013|00140)"
Key: IDMAP/GID2SID/3000140       Timeout: Sun Nov 15 04:04:35 2015
  Value: S-1-5-18
Key: IDMAP/UID2SID/3000013       Timeout: Sun Nov 15 03:23:23 2015
  Value: S-1-5-11

but replication does seem to work across DCs via rsync at the moment.

I suspect this is another thread entirely from the bug we have been
discussing, though :) Maybe there's a way I can add the rfc2307
attributes to these two SIDs (although I haven't found it yet)

We should probably update the 'sysvol rsync howto' wiki entry with our
findings. I should actually update it anyway, as I have a working
multi-DC configuration using lsyncd that lets me update GPOs on any DC
(as long as I only update on one at a time)

>> If you log into *any* windows domain machine, you will get the same SID-RID,
>> why should Unix be any different?
>
> Because the windows sids are by design worldwide unique, while
> the unix pattern is to use the same unix id space on each machine
> and fill it individually.
>
> I completely agree that it may be nice to have it.
> But the real solution would be to have sid-like
> unix IDs in the linux kernel.

Agreed, that would be great :) But I think until we have this in the
kernel, it would be good if we can work around it within Samba, if
possible - e.g. rfc2307 support for example.

Cheers,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list