[Samba] id mapping on a dc+file server

[Rowland penny]

On 10/08/2019 08:00, Stefan G. Weichinger via samba wrote:
> Am 09.08.19 um 19:57 schrieb Rowland penny via samba:
>> On 09/08/2019 18:13, Stefan G. Weichinger via samba wrote:
>>> Am 09.08.19 um 12:49 schrieb Rowland penny via samba:
>>>> On 09/08/2019 10:33, Pisch Tamás via samba wrote:
>>>>>> You have to give any users you require visible on Unix a uidNumber
>>>>>> attribute
>>>>> Ok, I can do it with samba-tool user edit...
>>> I think my rsnapshot-issue corresponds with this thread as well.
>>>
>>> wbinfo -i userXY shows different uids on the DC and the DM.
>>>
>>> Therefore the rsynced files belonging to uid-of-user-on-DM are shown as
>>> plain uid-number on the DC and can't be accessed correctly.
>>>
>>> Seems I need to add a uid as well.
>>>
>>> sorry if I hijacked here, just adding my current view ...
>>>
>>>
>> Ah, so you are backing up something from a DC to a Unix domain member,
>> then you may have problems.
>>
>> There are three main methods of setting IDs:
>>
>> On a DC, by default, idmap.ldb is used, this stores the IDs in xidNumber
>> attributes and the range starts at '3000000', these numbers are only
>> used on a Samba AD DC.
>>
>> For Unix domain members, there are the 'rid'  and 'ad' winbind backends,
>> the 'rid' backend calculates the ID from the RID and the low DOMAIN
>> range set in smb.conf, so if the low range is '10000' and the first RID
>> is '1000' the first user ID will be '11000'
>>
>> The 'ad' backend uses the uidNumber & gidNumber attibutes from AD, as
>> long as they are inside the DOMAIN range set in smb.conf.
>>
>> The only way to get the same  IDs everywhere on Unix is to use the
>> uidNumber  & gidNumber attributes, they will override the xidNumbers on
>> a DC, but you will have to use the 'ad' backend.
>>
>> If you use the 'rid' backend, you can get the same IDs on Unix domain
>> members, but only if you use the same 'idmap config' lines on all Unix
>> domain members, however you will still have different IDs on the DC's.
>>
>> A different way around this would be to backup to a directory and then
>> tar the directory into a file.
> Rowland thank you for explaining this (or trying to explain, I still
> have to re-read and find it over-complicated).
>
> I try another rsync-parameter now to map via user/group-names instead of
> ids. For the use-case of backups/snapshots this might be enough.

I will try again ;-)

On a DC, as standard, the numeric IDs are allocated on a first come 
basis from the '3000000' range.

On Unix domain members it depends on two things, which winbind backend 
you use, linked with the Domain range set in AD, the examples on the 
Samba wiki use '10000-999999'

If you use the 'rid' backend, then the IDs are calculated via this formula:

ID = RID - BASE_RID + LOW_RANGE_ID

The 'BASE_RID' is always '0' (unless you set it to something else, but 
why would you ?)

So the formula is really:

ID = RID + LOW_RANGE_ID

So lets fill that in with data, '1000' for the RID and the low range 
from the wiki example '10000'

ID = 1000 + 10000

Or

ID = 11000

I will leave you to calculate the ID for Domain Users, given that its 
RID is always '513'

I hope you can see that, if you do nothing, you will never get the same 
numeric ID on a DC and a Unix domain member using the winbind 'rid' backend.

The only way to get the same numeric IDs everywhere is to use the 
winbind 'ad' backend. this relies on the addition of uidNumber 
attributes to users and gidNumber attributes to groups. These 'number' 
must be inside the range set in smb.conf, any 'numbers' outside the 
range will be ignored. You must ensure that Domain Users is given a 
gidNumber, or all your users will be ignored.

HTH

Rowland