[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny241155 at gmail.com
Tue Nov 10 15:31:10 UTC 2015

On 10/11/15 13:38, Rowland Penny wrote:
> On 07/11/15 23:28, Michael Adam wrote:
>> Ok, why do you strictly need it?
>> I understand that it gives you a better feeling,
>> and it may be convenient but which scenario really
>> requires it? Most important is the central auth db.
>> If the IDs on the various DCs and members in the
>> domain do not have the same sets of unix IDs, then
>> nevertheless
>> - local login will work.
>> - ssh login will work.
>> - rsync will work if not using --numeric-ids.
>> - cifs mount will work.
> Hi Michael, as I am mid setup of a new test domain, I thought I would 
> try it as you seemed to be suggesting i.e. without using rfc2307 
> attributes.
> I have come to the conclusion that by using the latest Samba on the DC 
> with winbindd, you are using something that is very very similar to a 
> samba domain member that uses the 'rid' backend.
> You can connect a domain member using the 'rid' backend to the DC.
> You can login to the DC as a domain member
> You can login to the DC via ssh
> rsync seems to work.
> you can mount a share from the DC on a domain member, but unless you 
> explicitly set the users local uid & gid in the mount command, the 
> mount ends up belonging to the uid of the user on the DC.
> the [homes] share appears to be working again.
> Using the 'rid' backend, you get a user local group.
> So, even though what you say is mostly true, I still hold to my 
> belief, the best option would be if all Samba machines could use the 
> full set of RFC2307 attributes.
> Rowland

OK Michael, I have now given a user a uidNumber and Domain Users a 
gidNumber, I have also changed the domain member to use the 'ad' backend.
So what's changed?
You no longer need the local uid & gid in the mount command.
The local user group has gone.
Something it didn't mention before, with the rid backend, if you opened 
the mounted share in Caja (gui file browser), you didn't have full 
control i.e. you couldn't right click and create an empty file. This now 
works with the ad backend.

So in my opinion, as long as you use the 'ad' backend on domain members, 
you can use the DC as a fileserver, provided you use a Samba version 
that uses the separate winbindd deamon. I still wouldn't let users login 
to the DC and I also don't see any reason to use sssd or nlscd any more.


More information about the samba mailing list