[Samba] [samba] Winbindd without RFC2307 question

Rowland Penny rpenny at samba.org
Thu Jul 20 14:06:31 UTC 2017 

On Thu, 20 Jul 2017 15:00:17 +0200
mathias dufresne via samba <samba at lists.samba.org> wrote:

> Because it is a migration, data are existing for years. Files and
> directories are owned by UNIX users (at least at file system level).
> To keep ownership I see only two choices: reproduce UID/GID on the
> new server or change rights on every files and folders.

Yes, they are really the only two choices.

> Yep, to avoid that mess using UNIX attributes into AD LDAP tree will
> greatly simplify that dumb task.
>

Using RFC2307 attributes is the only way to get consistent Unix IDs
everywhere, on DCs and fileservers.
 
> I would have thought as Louis that the result of using idmap_rid (or
> more generally not using centralized DB to store UID/GID list) would
> father randomly attributed UID/GID.

If you use the 'rid' backend, the user and group IDs are calculated
from the RID using this formula:

ID = RID - BASE_RID + LOW_RANGE_ID

The BASE_RID is '0' by default, so this becomes:

ID = RID + LOW_RANGE_ID

The RID is unique, so as long as you use the same smb.conf on all Unix
domain members, you will always get the same IDs. You just cannot
specify what ID a user or group will get. 

> 
> My thought, which can easily be wrong, was:
> members work identically (same range to attribute xID)
> members don't discuss together to exchange UID/GID list
> 
> So they will attribute UID/GID on the fly, with first logged user
> (let's call that one userA) getting first available UID/GID.
> Then if on some other server the first logged user (let's call this
> one userB) is not the same than the first user on the other server
> If members really attribute first number to first connected users,
> this will result userA on serverA having same UID/GID than userB on
> serverB.
> 
> I could be wrong but if it the case I would greatly appreciate to be
> explained why I was wrong.

Yes, you are wrong ;-)
Well, wrong when it comes to Unix domain members, but this is very much
the way a DC works.

> That's a Samba files server migration. A samba server is existing, it
> hosts data, data are owned by users, user's UID/GID were generated by
> Samba on the old server (security = ADS + passdb backend =
> tdbsam:/etc/samba/private/passdb.tdb).
> 
> As data are existing and are owned by users, I must keep user
> ownership on the new server.
> 
> To keep user ownership the two options I see are (as already written
> earlier in that mail) to reproduce UID/GID in users list or if users'
> UID/GID are changed I must also change rights applied on the FS.
> 
> Now you asked for my smb.conf, the one from the new server is the one
> I exposed in my first mail in that thread.
> Regarding the old server I put in parenthesis earlier the only two
> lines which seems (to me) related to authentication and xID
> attribution.
> 

It sounds to me that your best option will be to carry out a
'classicupgrade' 

Rowland

More information about the samba mailing list