[Samba] idmap & migration to rfc2307

buhorojo buhorojo.lcb at gmail.com
Sun Nov 8 19:34:50 UTC 2015

On 07/11/15 19:57, Michael Adam wrote:
> On 2015-11-07 at 17:47 +0000, Jonathan Hunter wrote:
>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote:
>>> Also, for all I know, the DC always has local unix user and group
>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless
>>> this has changed recently, but I can't imagine how.) So there is
>>> nothing wrong with samba not using the rfc ids on the DC -- this is
>>> how it works by design.
>> Thanks Michael. I will see if I can use winbind locally instead of
>> sssd later this evening, now that I have fully switched to rfc2307
>> rather than algorithmic mappings.
>> One question on this, though - how is file ownership managed on the DC
>> from the samba side? I know DCs aren't "supposed" to be used as file
>> servers in the samba view of things (which is another story
>> altogether), but I can't understand why sometimes the ID mapping comes
>> from the rfc2307 attributes and then later on not.
> I don't understand that yet.
> As explained in my previous mail, what can happen is that
> a user first (before given a rfc unixID) gets its uid from the
> idmap.ldb, but as soon as there is a unixid in the rfc
> attributes in his ldap object, that should always be used.
> This is a per-user thing.
> It is not surpsising that an externally configured sssd
> (configured to use rfc in a ad, and hence behaving more like
> a domain member) possibly gives different results, and also
> consistently uses the rfc attrs, since that one does not
> have the fallback to idmap.ldb that samba has.
sssd's uses its own implementation of winbind and _always_ retrieves the 
same id from AD. Repeat, _always_. Currently it and nslcd are the only 
way to obtain full rfc2307 and consistent ids on DCs. Neither winbind 
nor winbindd can do so.
> The mapping should indeed be consistent for a user on the DC,
> so it should not intermittently switch between idmap.ldb and
> the rfc attributes. That would be a bug that we need to
> understand.
> One step as written in a previous mail would be to change
> the dc code to _never_ fall back to idmap.ldb when configured
> with "idmap_ldb:use rfc2307 = yes".
It has to fall back as uid is undefined for builtin objects.

More information about the samba mailing list