[Samba] idmap & migration to rfc2307

Sun Nov 8 11:17:30 UTC 2015

On 08/11/15 11:08, Jonathan Hunter wrote:
> Hi,
>
> On 8 November 2015 at 10:49, Michael Adam <obnox at samba.org> wrote:
>> This is how it works in rsync:
> [...]
>> I have always used rsync to replicate the sysvol.
>> And always used local xids. But being mainly a
>> file-server guy, I have also not managed many Samba
>> AD/DC environments. So I am really more than willing
>> to learn from others' experience here.
> This is the major area I have had problems with in the past, same as
> Rowland and many others I expect.
>
> I should probably look into it in a little more detail to be honest;
> last time I tried it it was a little bit of a black art but I ended up
> fixing it by a combination of
> - switching to rfc2307
> - allocating all groups and users a GID/UID, including the 'BUILTIN' ones
> - copying idmap.ldb between my DCs
>
> Despite all this, I still have files owned by 'raw' UIDs on my DCs
> (these map to 'BUILTIN\Authenticated Users' and 'BUILTIN\Local
> System') e.g.
>
> [root at dc ~# getfacl /usr/local/samba/var/locks/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: administrators
> user::rwx
> user:root:rwx
> user:3000013:r-x
> user:3000140:rwx
> [...]
> [root at dc ~]# net cache list | egrep "(0013|00140)"
> Key: IDMAP/GID2SID/3000140       Timeout: Sun Nov 15 04:04:35 2015
>    Value: S-1-5-18
> Key: IDMAP/UID2SID/3000013       Timeout: Sun Nov 15 03:23:23 2015
>    Value: S-1-5-11
>
> but replication does seem to work across DCs via rsync at the moment.
>
> I suspect this is another thread entirely from the bug we have been
> discussing, though :) Maybe there's a way I can add the rfc2307
> attributes to these two SIDs (although I haven't found it yet)

You cannot add uid/gidNumber attributes to BUILTIN users/groups, well, 
you can, but they are ignored, I know, I tried.

Rowland
>
> We should probably update the 'sysvol rsync howto' wiki entry with our
> findings. I should actually update it anyway, as I have a working
> multi-DC configuration using lsyncd that lets me update GPOs on any DC
> (as long as I only update on one at a time)
>
>>> If you log into *any* windows domain machine, you will get the same SID-RID,
>>> why should Unix be any different?
>> Because the windows sids are by design worldwide unique, while
>> the unix pattern is to use the same unix id space on each machine
>> and fill it individually.
>>
>> I completely agree that it may be nice to have it.
>> But the real solution would be to have sid-like
>> unix IDs in the linux kernel.
> Agreed, that would be great :) But I think until we have this in the
> kernel, it would be good if we can work around it within Samba, if
> possible - e.g. rfc2307 support for example.
>
> Cheers,
>
> Jonathan
>