[Samba] idmap & migration to rfc2307

[Rowland Penny]

On 08/11/15 14:40, Harry Jede wrote:
> On 15:27:22 wrote Rowland Penny:
>> On 08/11/15 11:08, Jonathan Hunter wrote:
>>> Hi,
>>>
>>> On 8 November 2015 at 10:49, Michael Adam <obnox at samba.org> wrote:
>>>> This is how it works in rsync:
>>> [...]
>>>
>>>> I have always used rsync to replicate the sysvol.
>>>> And always used local xids. But being mainly a
>>>> file-server guy, I have also not managed many Samba
>>>> AD/DC environments. So I am really more than willing
>>>> to learn from others' experience here.
>>> This is the major area I have had problems with in the past, same
>>> as Rowland and many others I expect.
>>>
>>> I should probably look into it in a little more detail to be
>>> honest; last time I tried it it was a little bit of a black art
>>> but I ended up fixing it by a combination of
>>> - switching to rfc2307
>>> - allocating all groups and users a GID/UID, including the
>>> 'BUILTIN' ones - copying idmap.ldb between my DCs
>>>
>>> Despite all this, I still have files owned by 'raw' UIDs on my DCs
>>> (these map to 'BUILTIN\Authenticated Users' and 'BUILTIN\Local
>>> System') e.g.
>>>
>>> [root at dc ~# getfacl /usr/local/samba/var/locks/sysvol
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: usr/local/samba/var/locks/sysvol
>>> # owner: root
>>> # group: administrators
>>> user::rwx
>>> user:root:rwx
>>> user:3000013:r-x
>>> user:3000140:rwx
>>> [...]
>>> [root at dc ~]# net cache list | egrep "(0013|00140)"
>>> Key: IDMAP/GID2SID/3000140       Timeout: Sun Nov 15 04:04:35 2015
>>>
>>>     Value: S-1-5-18
>>>
>>> Key: IDMAP/UID2SID/3000013       Timeout: Sun Nov 15 03:23:23 2015
>>>
>>>     Value: S-1-5-11
>>>
>>> but replication does seem to work across DCs via rsync at the
>>> moment.
>>>
>>> I suspect this is another thread entirely from the bug we have been
>>> discussing, though :) Maybe there's a way I can add the rfc2307
>>> attributes to these two SIDs (although I haven't found it yet)
>> You cannot add uid/gidNumber attributes to BUILTIN users/groups,
>> well, you can, but they are ignored, I know, I tried.
> My expierience is different. I do this for round about 10 years in NT
> and AD style samba domains and have had no problems.
>
> Sure "authenticated users", "local system" and all "groups" which are
> managed by the Windows OS will never work on an unix like OS. But groups
> which simply contain other groups like Administrators or Users works for
> me. I use nslcd as nss daemon, mostly, but I know it works also with
> other nss provider like winbindd.

Sorry, but this isn't the nslcd mailing either, Samba does not have 
anything to do with nlscd or sssd and it only recommends the use of 
winbind, what anybody else does is their decision, but I will stick with 
Samba and what they recommend.

Rowland

>
>> Rowland
>>
>>> We should probably update the 'sysvol rsync howto' wiki entry with
>>> our findings. I should actually update it anyway, as I have a
>>> working multi-DC configuration using lsyncd that lets me update
>>> GPOs on any DC (as long as I only update on one at a time)
>>>
>>>>> If you log into *any* windows domain machine, you will get the
>>>>> same SID-RID, why should Unix be any different?
>>>> Because the windows sids are by design worldwide unique, while
>>>> the unix pattern is to use the same unix id space on each machine
>>>> and fill it individually.
>>>>
>>>> I completely agree that it may be nice to have it.
>>>> But the real solution would be to have sid-like
>>>> unix IDs in the linux kernel.
>>> Agreed, that would be great :) But I think until we have this in
>>> the kernel, it would be good if we can work around it within
>>> Samba, if possible - e.g. rfc2307 support for example.
>>>
>>> Cheers,
>>>
>>> Jonathan
>