[Samba] Replace AD DC FS with 2 new servers

Rowland Penny rpenny at samba.org
Mon Nov 26 17:08:32 UTC 2018 

On Mon, 26 Nov 2018 17:27:29 +0100
Mark Amundsen via samba <samba at lists.samba.org> wrote:

> > >
> > > Is 'idmap rid' a better choice than ad? Can I still copy files
> > > with rsync in that case or will file ownership be mangled?
> > 
> > Quantify better ?
> > One isn't really better than the other, they are both usable, but in
> > different ways and reasons.
> > It might help if you read this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> I've read it several times, but i start to think that I simply don't
> understand the concepts.

The concepts are fairly simple, you only need uidNumber & gidNumber
attributes in AD if you want the same numeric ID's everywhere.

DC's use xidNumber attributes and these are only used on a DC.

You can use either the 'ad' or 'rid' backend on a Unix domain member
and only on a Unix domain member.

> 
> The old server does not have idmap config in the smb.conf (because it
> is a DC, right?).

You cannot use the 'idmap config' lines on a DC.

> 
> 
> 
> If I ls a file in the old fileserver, it looks like this:
> 
> -rwxrwx---+ 1 3000148 users  31M sep 19 15:16 10160-101.zip
> 
> So, 3000248 is a UID.

To be honest, it looks like an 'xidNumber', the '3000000' numbers
normally only occur on a Samba AD DC, was the old fileserver a DC ?

> 
> If I use winbind 'rid' backend and copy the file above to the new
> server with rsync it will keep 3000148 as owner, but will 3000148 be
> connected to the same login on both servers?

Not necessarily, as I said, '3000148' looks like an xidNumber from
idmap.ldb and, as is well known, you probably would get a different
number on another DC, the same will go for a Unix domain member using
the 'rid' backend.
The users UID on a Unix domain member using the 'rid' backend is
calculated from the users 'RID' with this equation:

ID = RID - BASE_RID + LOW_RANGE_ID

All RID's start from '1000' and the BASE_RID is '0' unless set to a
different number, so, from this and the info provided below, the
equation could be written as this:

ID = RID + 3000000

And using the lowest RID

ID = 1000 + 3000000

ID = 3001000

So, no, you will never see the ID '3000148' on a Unix domain member

> 
> 
> 
> I think that I'll just add a testserver to find out how it works.
> 
> [global]
>        security = ADS
>        workgroup = SAMDOM
>        realm = SAMDOM.EXAMPLE.COM
> 
>        log file = /var/log/samba/%m.log
>        log level = 1
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>        idmap config SAMDOM : backend = rid
>        idmap config SAMDOM : range = 3000000-3999999
> 
> Will that do (but replace SAMDOM with my realm)?

Yes, but just as long as you understand that you will never get the
same numeric ID's everywhere.

Rowland

More information about the samba mailing list