[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny241155 at gmail.com
Tue Nov 10 13:38:02 UTC 2015

On 07/11/15 23:28, Michael Adam wrote:
> Ok, why do you strictly need it?
> I understand that it gives you a better feeling,
> and it may be convenient but which scenario really
> requires it? Most important is the central auth db.
> If the IDs on the various DCs and members in the
> domain do not have the same sets of unix IDs, then
> nevertheless
> - local login will work.
> - ssh login will work.
> - rsync will work if not using --numeric-ids.
> - cifs mount will work.

Hi Michael, as I am mid setup of a new test domain, I thought I would 
try it as you seemed to be suggesting i.e. without using rfc2307 attributes.
I have come to the conclusion that by using the latest Samba on the DC 
with winbindd, you are using something that is very very similar to a 
samba domain member that uses the 'rid' backend.

You can connect a domain member using the 'rid' backend to the DC.
You can login to the DC as a domain member
You can login to the DC via ssh
rsync seems to work.
you can mount a share from the DC on a domain member, but unless you 
explicitly set the users local uid & gid in the mount command, the mount 
ends up belonging to the uid of the user on the DC.
the [homes] share appears to be working again.
Using the 'rid' backend, you get a user local group.

So, even though what you say is mostly true, I still hold to my belief, 
the best option would be if all Samba machines could use the full set of 
RFC2307 attributes.


More information about the samba mailing list