[Samba] idmap & migration to rfc2307
obnox at samba.org
Sun Nov 8 11:53:55 UTC 2015
On 2015-11-08 at 11:14 +0000, Rowland Penny wrote:
> On 08/11/15 10:49, Michael Adam wrote:
> >On 2015-11-08 at 09:29 +0000, Rowland Penny wrote:
> >>On 07/11/15 23:28, Michael Adam wrote:
> >>>rsync will work if not using --numeric-ids.
> >>OK, I know that logins will work on all the samba machines, but I am not
> >>sure what you say about rsync is correct, this is what 'man rsync' has to
> >>say about '--numeric-ids':
> >>--numeric-ids don't map uid/gid values by user/group name
> >>So by my reading, if you don't use it, your uid/gids are mapped to the
> >>user/group and if you do, they aren't.
> >This is how it works in rsync:
> >- If you don't use --numeric-ids, then rsync will transfer names
> > and let sending and receiving side each do its own name<->id
> > translation. This is to be chosen if users/groups of the same
> > name are present on each side, but not necessarily with the
> > same IDs.
> >- Using --numeric-ids instead, the numerical IDs are transferred.
> > This is potentially slightly cheaper, and it will also create
> > perms/acls for users/groups that do not need to exist on the
> > receiving side.
> >My warning was just that --numeric-ids can not be used in
> >the case when we do not have identical unix ids on the various
> >involved servers in the unix domain.
> >> From the problems that arose with
> >>trying to rsync Sysvol (yes I know this is useless on a Unix machine) where
> >>the xidNumbers are usually different from DC to DC, I am fairly sure this
> >>isn't going to work,
> >I don't know what problems these were.
> >I have always used rsync to replicate the sysvol.
> >And always used local xids. But being mainly a
> >file-server guy, I have also not managed many Samba
> >AD/DC environments. So I am really more than willing
> >to learn from others' experience here.
> If you have two DCs, the contents of idmap.ldb is different on each DC, so
> when you rsync sysvol from one to the other, it ends up with the wrong
It fails if you use --numeric-ids.
Otherwise, it works (is at least my experience).
> >>the cure is to have the same idmap.ldb on all DCs.
> >The conceptual failure with sysvol is that we don't support
> >the AD protocol replication (FRS or DFSR) yet. Only therefore,
> >we need the band-aid of replicating under the hood with unix
> >file system level tools like rsync. I think that problems with
> >sysvol synchronization rather originate in this circumstance
> >than in the use of rsync w/o identical ids on both side.
> >But I may be missing something...
> Well, yes it would be nice to have sysvol replication etc, but the ID number
> problem needs to be fixed first.
I am still not convinced we strictly need it. :-)
(We would even need it less with sysvol-replication.)
But it would be convenient sometimes.
> >>There is also the problem of when a user creates a tarball on one machine
> >>and then copies it to another and unpacks it, they may find that all the
> >>files no longer belong to them.
> >>If you log into *any* windows domain machine, you will get the same SID-RID,
> >>why should Unix be any different?
> >Because the windows sids are by design worldwide unique, while
> >the unix pattern is to use the same unix id space on each machine
> >and fill it individually.
> >I completely agree that it may be nice to have it.
> >But the real solution would be to have sid-like
> >unix IDs in the linux kernel.
> I will let you talk to Linus about that :-D
Yeah, that is pretty unrealistic to have any time soon...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: not available
More information about the samba