[Samba] idmap config ad

Rowland Penny rpenny at samba.org
Mon Jan 28 19:18:16 UTC 2019 

On Mon, 28 Jan 2019 18:42:04 +0000
James Zuelow <James.Zuelow at juneau.org> wrote:

> 
> 
> 
> > -----Original Message-----
> > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> > Rowland Penny via samba
> > Sent: Monday, January 28, 2019 8:25 AM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] idmap config ad
> > 
> > On Mon, 28 Jan 2019 18:07:35 +0100
> > Harry Jede via samba <samba at lists.samba.org> wrote:
> > 
> > > Am 28.01.19 um 16:46 schrieb Viktor Trojanovic via samba:
> > > > So, a few questions come to mind:
> > > >
> > > > - Did I miss something important?
> > > > - When would you actually choose the rid backend over the ad
> > > > one?
> > >
> > > If you are to lazy or to busy to fill in all required unix
> > > attributes. And yes, do not forget maintenance.
> > 
> > As I said, I would only use the 'rid' backend in a small domain.
> > Most of these would be a small office and would likely be run by
> > someone who hasn't really got a clue ;-)
> > 
> 
> Well, I guess I'm lazy and have no clue.
> 
> I've been using the rid back-end on Samba for as long as I can
> remember.  My oldest file server has been upgraded since I first
> built it for an NT4 domain, so the rid configuration probably
> appeared shortly after we moved to AD from NT4.
> 
> I guess we're a smallish domain.  About 1500 users, two other domains
> that come in via transitive trusts.
> 
> The rid back-end, as I understand it, maps the domain user or group
> SID to a unix UID/GID.  It is a simple concept, and simple is good in
> my book.

It is actually the RID that is mapped, but if all you need is the ID
mapping then, yes it is a simple concept, but others need more ;-)

> 
> Assuming the rid configuration is the same across Samba member
> servers (range and base rid), a Windows domain user accessing a Samba
> server has the same UID and GID on any of them.
> 
> This allows me to do things like rsync or scp files with permissions
> intact, etc.  With extended attribute support for the file system we
> get granular Windows style permissions, and a backup system that
> groks extended ACLs backup and restore isn't a problem.
> 
> It works like a charm, and has been working.
> 
> So what clues am I missing?
> 
> What maintenance do I have to do for the rid to work better?  The AD
> user accounts never change their SIDs, and as long as the mechanism
> to map SIDs to UIDs doesn't change I'm kind of at a loss as to what I
> should be maintaining here.

As I said, others need more than what you require, but if it works for
you, who am I to knock your setup. The 'rid' backend limits you to the
uidNumber & gidNumber attributes, the 'ad' backend allows you to use a
large amount of the rfc2307 attributes.

Rowland
 
> 
> Thanks!
> 
> James

More information about the samba mailing list