[Samba] id mapping

Rowland Penny rpenny at samba.org
Mon Sep 20 06:55:24 UTC 2021 

On Sun, 2021-09-19 at 22:02 -0400, Nick Couchman wrote:

> > 
> I might be splitting hairs, but this statement isn't true. 

Yes it is, Samba does not produce sssd, so cannot support it, redhat
(who do produce sssd) only support its use with idmap-sss, this means
authentication only, no fileserving.
 
> > > 
> 
> Unsupported, as in I'll be ridiculed on this mailing list for running
> it this way? Good to know.

No, you will not be ridiculed for using it, it will just be pointed out
that Samba doesn't support its use because Samba doesn't produce it.

> 

> This is the _default_ setting, but not the _only_ setting. I can very
> easily add local users with the "useradd" command that are well above
> the 1000-1999 range. I can also change the default settings of a
> Linux distribution to use a different range of user IDs, say 6000 -
> 6999. It's pretty easy. So, if I wanted to, I could have winbind
> allocate IDs 1001 - 1999, and I would still have 2000 - 65535
> (actually, much higher these days, but that's the old-world UNIX
> maximum) to allocate in /etc/passwd and /etc/group. The math adds up
> to far more than 1. Even the "reservation" of IDs below 1000 for
> system users is encouraged as a best-practice, and a sort of
> recognized defacto standard, but there's nothing special about those
> IDs (aside from, maybe, 0).

You can do whatever you like, it is your setup, whether Linux or Samba
will provide support is debatable. 
>  

> > My point is that tdb will end up with AD users that have different
> IDs on different Linux systems. In many scenarios, particularly ones
> where you have mostly Windows environments, where you don't care
> about what the local ID actually is, this doesn't matter at all.
> There are some places where it does matter - for example, when you
> have shared/clustered filesystems (NFSv3, GFS(2), or NFSv4 without ID
> mapping), or you're replicating things at a below-filesystem level
> (e.g. zfs send/receive, drbd, etc.). In those cases it can be
> extremely helpful when UID and GID numbers match up across systems,
> which means that they need to be generated deterministically.


If you use the same smb.conf file on all Unix domain members, your
DOMAIN users and groups will always get the same ID's, what may get
different ID's are the Well Known SIDs and any user or group that is
outside the DOMAIN domain. Never use tdb for the DOMAIN domain


Thank you. Sorry to have hi-jacked the thread. Feel free to ignore me
> and carry on.

No, Your comments are valid, wrong in my opinion, but valid non the
less.

Rowland

More information about the samba mailing list