[Samba] Man page for idmap_rid

[francis picabia]

On Tue, Aug 9, 2016 at 4:56 PM, Steve Ankeny via samba <
samba at lists.samba.org> wrote:

> On 08/09/2016 03:29 PM, francis picabia via samba wrote:
>
>> We've modified our smb.conf shares about 10 years ago to have
>> valid users with MYDOM\user and it has worked very well.  It is
>> still working well for the most part.
>>
>
> 10 years ago Samba was configured as a traditional NT Domain, not so
> Active Directory.
>
> It's not "pouring beer from a bottle (NT Domain) into a glass (AD)" but
> "opening a 'new' bottle of beer"
>
> In other words, it's two different sets of users (one described by
> smb.conf and the other in the AD LDAP DB)
>
>
Ha ha.  I wondered last night if the beer analogy would work best, and it
seems so.

Here is why it is not a new bottle of beer.

The right hand is pouring the bottle, and the left hand is holding the
glass,
tilted slightly to avoid frothing, so the user is most pleased.  In between
the hands there is an administrative unit known as the brain which has
established a
trust between the left and the right hand being under a common
administration.

There are indeed organizations where the left hand doesn't know what
the right hand is doing, but in general that is not the case, and we have
checks to keep things aligned.

There may be a reason why a developer would want to assume
this is a new bottle of beer in light of recent security issues.

On a few dozen systems running Linux and Solaris and in production,
MYDOM\username = username  as far as we are concerned.  It isn't
unique to Samba.  Many applications have a local user which
maps to the AD user and make the assumption they are the same,
which we can do because we administer both ends.  We're not
talking about self-sign up portals and mailing lists, but things
which are under one administration.

Other than the case of bug report 10604 and Samba 4.2.10 on Debian,
this solution has been working well for us.