[Samba] idmap & migration to rfc2307

Michael Adam obnox at samba.org
Sun Nov 8 13:38:04 UTC 2015 

On 2015-11-08 at 13:13 +0000, Rowland Penny wrote:
> On 08/11/15 11:53, Michael Adam wrote:
> >On 2015-11-08 at 11:14 +0000, Rowland Penny wrote:
> >>On 08/11/15 10:49, Michael Adam wrote:
> >>>On 2015-11-08 at 09:29 +0000, Rowland Penny wrote:
> >>>>On 07/11/15 23:28, Michael Adam wrote:
> >>>>>rsync will work if not using --numeric-ids.
> >>>>OK, I know that logins will work on all the samba machines, but I am not
> >>>>sure what you say about rsync is correct, this is what 'man rsync' has to
> >>>>say about '--numeric-ids':
> >>>>
> >>>>--numeric-ids           don't map uid/gid values by user/group name
> >>>>
> >>>>So by my reading, if you don't use it, your uid/gids are mapped to the
> >>>>user/group and if you do, they aren't.
> >>>This is how it works in rsync:
> >>>- If you don't use --numeric-ids, then rsync will transfer names
> >>>   and let sending and receiving side each do its own name<->id
> >>>   translation. This is to be chosen if users/groups of the same
> >>>   name are present on each side, but not necessarily with the
> >>>   same IDs.
> >>>- Using --numeric-ids instead, the numerical IDs are transferred.
> >>>   This is potentially slightly cheaper, and it will also create
> >>>   perms/acls for users/groups that do not need to exist on the
> >>>   receiving side.
> >>>My warning was just that --numeric-ids can not be used in
> >>>the case when we do not have identical unix ids on the various
> >>>involved servers in the unix domain.
> >>>
> >>>> From the problems that arose with
> >>>>trying to rsync Sysvol (yes I know this is useless on a Unix machine) where
> >>>>the xidNumbers are usually different from DC to DC, I am fairly sure this
> >>>>isn't going to work,
> >>>I don't know what problems these were.
> >>>I have always used rsync to replicate the sysvol.
> >>>And always used local xids. But being mainly a
> >>>file-server guy, I have also not managed many Samba
> >>>AD/DC environments. So I am really more than willing
> >>>to learn from others' experience here.
> >>If you have two DCs, the contents of idmap.ldb is different on each DC, so
> >>when you rsync sysvol from one to the other, it ends up with the wrong
> >>ownership.
> >It fails if you use --numeric-ids.
> >Otherwise, it works (is at least my experience).
> 
> Well, it didn't work previously for me, note that I said previously, I am
> mid setup of a new test domain and previously when I examined sysvol, I got
> this:
> 
> ls -la /var/lib/samba/sysvol/example.com/
> total 56
> drwxrwx---+ 7 root 3000000 4096 Nov  9 08:52 .
> drwxrwx---+ 3 root 3000000 4096 Aug 12 10:40 ..
> drwxrwx---+ 4 root 3000000 4096 Aug 12 10:41 Policies
> drwxrwx---+ 2 root 3000000 4096 Aug 12 10:40 scripts
> 
> Note that the group is a number and this was using 4.1.9
> 
> My new domain is using 4.3.1 and I now get:
> 
> ls -la /usr/local/samba/var/locks/sysvol/samdom.example.com/
> total 32
> drwxrws---+ 4 root BUILTIN\administrators 4096 Nov  6 11:56 .
> drwxrws---+ 3 root BUILTIN\administrators 4096 Nov  6 11:56 ..
> drwxrws---+ 4 root BUILTIN\administrators 4096 Nov  6 11:56 Policies
> drwxrws---+ 2 root BUILTIN\administrators 4096 Nov  6 11:56 scripts
> 
> The group is now a name!
> 
> on the second DC I got this:
> 
> ls -la /usr/local/samba/var/locks/sysvol/samdom.example.com/
> total 12
> drwxr-sr-x 3 root staff 4096 Nov  6 15:52 .
> drwxr-sr-x 3 root staff 4096 Nov  6 15:52 ..
> drwxr-sr-x 2 root staff 4096 Nov  6 15:52 scripts
> 
> after running 'rsync -e 'ssh' -XAavz --delete-after
> /usr/local/samba/var/locks/sysvol/
> dc2.samdom.example.com:/usr/local/samba/var/locks/sysvol/' on the first DC,
> I now get this on the second DC:
> 
> ls -la /usr/local/samba/var/locks/sysvol/samdom.example.com/
> total 32
> drwxrws---+ 4 root BUILTIN\administrators 4096 Nov  6 11:56 .
> drwxrws---+ 3 root BUILTIN\administrators 4096 Nov  6 11:56 ..
> drwxrws---+ 4 root BUILTIN\administrators 4096 Nov  6 11:56 Policies
> drwxrws---+ 2 root BUILTIN\administrators 4096 Nov  6 11:56 scripts

That looks good.
The numeric IDs may or may not be the same..

> I think we need to re-write the wiki :-)

Please do update what needs updating!

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151108/c7a19f9a/signature.sig>

More information about the samba mailing list