[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny241155 at gmail.com
Sun Nov 8 11:14:52 UTC 2015 

On 08/11/15 10:49, Michael Adam wrote:
> On 2015-11-08 at 09:29 +0000, Rowland Penny wrote:
>> On 07/11/15 23:28, Michael Adam wrote:
>>> rsync will work if not using --numeric-ids.
>> OK, I know that logins will work on all the samba machines, but I am not
>> sure what you say about rsync is correct, this is what 'man rsync' has to
>> say about '--numeric-ids':
>>
>> --numeric-ids           don't map uid/gid values by user/group name
>>
>> So by my reading, if you don't use it, your uid/gids are mapped to the
>> user/group and if you do, they aren't.
> This is how it works in rsync:
> - If you don't use --numeric-ids, then rsync will transfer names
>    and let sending and receiving side each do its own name<->id
>    translation. This is to be chosen if users/groups of the same
>    name are present on each side, but not necessarily with the
>    same IDs.
> - Using --numeric-ids instead, the numerical IDs are transferred.
>    This is potentially slightly cheaper, and it will also create
>    perms/acls for users/groups that do not need to exist on the
>    receiving side.
> My warning was just that --numeric-ids can not be used in
> the case when we do not have identical unix ids on the various
> involved servers in the unix domain.
>
>>  From the problems that arose with
>> trying to rsync Sysvol (yes I know this is useless on a Unix machine) where
>> the xidNumbers are usually different from DC to DC, I am fairly sure this
>> isn't going to work,
> I don't know what problems these were.
> I have always used rsync to replicate the sysvol.
> And always used local xids. But being mainly a
> file-server guy, I have also not managed many Samba
> AD/DC environments. So I am really more than willing
> to learn from others' experience here.

If you have two DCs, the contents of idmap.ldb is different on each DC, 
so when you rsync sysvol from one to the other, it ends up with the 
wrong ownership.

>
>> the cure is to have the same idmap.ldb on all DCs.
> The conceptual failure with sysvol is that we don't support
> the AD protocol replication (FRS or DFSR) yet. Only therefore,
> we need the band-aid of replicating under the hood with unix
> file system level tools like rsync. I think that problems with
> sysvol synchronization rather originate in this circumstance
> than in the use of rsync w/o identical ids on both side.
> But I may be missing something...

Well, yes it would be nice to have sysvol replication etc, but the ID 
number problem needs to be fixed first.

>> There is also the problem of when a user creates a tarball on one machine
>> and then copies it to another and unpacks it, they may find that all the
>> files no longer belong to them.
>>
>> If you log into *any* windows domain machine, you will get the same SID-RID,
>> why should Unix be any different?
> Because the windows sids are by design worldwide unique, while
> the unix pattern is to use the same unix id space on each machine
> and fill it individually.
>
> I completely agree that it may be nice to have it.
> But the real solution would be to have sid-like
> unix IDs in the linux kernel.

I will let you talk to Linus about that :-D

Rowland

>
> Cheers - Michael

More information about the samba mailing list