[Samba] idmap & migration to rfc2307

buhorojo buhorojo.lcb at gmail.com
Sun Nov 8 21:50:06 UTC 2015

On 08/11/15 21:01, Michael Adam wrote:
> On 2015-11-08 at 20:34 +0100, buhorojo wrote:
>> On 07/11/15 19:57, Michael Adam wrote:
>>> On 2015-11-07 at 17:47 +0000, Jonathan Hunter wrote:
>>>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote:
>>>>> Also, for all I know, the DC always has local unix user and group
>>>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless
>>>>> this has changed recently, but I can't imagine how.) So there is
>>>>> nothing wrong with samba not using the rfc ids on the DC -- this is
>>>>> how it works by design.
>>>> Thanks Michael. I will see if I can use winbind locally instead of
>>>> sssd later this evening, now that I have fully switched to rfc2307
>>>> rather than algorithmic mappings.
>>>> One question on this, though - how is file ownership managed on the DC
>>> >from the samba side? I know DCs aren't "supposed" to be used as file
>>>> servers in the samba view of things (which is another story
>>>> altogether), but I can't understand why sometimes the ID mapping comes
>>> >from the rfc2307 attributes and then later on not.
>>> I don't understand that yet.
>>> As explained in my previous mail, what can happen is that
>>> a user first (before given a rfc unixID) gets its uid from the
>>> idmap.ldb, but as soon as there is a unixid in the rfc
>>> attributes in his ldap object, that should always be used.
>>> This is a per-user thing.
>>> It is not surpsising that an externally configured sssd
>>> (configured to use rfc in a ad, and hence behaving more like
>>> a domain member) possibly gives different results, and also
>>> consistently uses the rfc attrs, since that one does not
>>> have the fallback to idmap.ldb that samba has.
>> sssd's uses its own implementation of winbind
> I repeat: sssd does not implement winbind.
> It implements some parts of the winbind protocol.
> It is not a drop-in replacement for winbind(d).
> And the ad-dc forcefully uses winbindd anyways,
No, it is not forced. It can be disabled.
> so sssd is not at all an option.
No? What it does do is just work. winbind doesn't. It is unfair on the 
OP to insist it does.
>> and _always_ retrieves the same id from AD. Repeat, _always_.
>> Currently it and nslcd are the only way to obtain full rfc2307
>> and consistent ids on DCs. Neither winbind nor
>> winbindd can do so.
> Sure. winbindd can do it.
Sorry but you are wrong. On a DC it can't.

More information about the samba mailing list