[Samba] Moving to AD for idmap backend

[Rowland Penny]

On 28/11/2022 18:40, Vaughan, Robert J via samba wrote:
>> Hello Samba listers
>>
>> We're looking at moving to idmap backend AD for our Samba domain member servers
>>
>> One concern I had is our corporation assigns uid for users in one corp sub-domain (A.X.com) interspersed with users from our other corp sub-domain (B.X.com) so that the range must be overlapping
>>
>> Some testing by a colleague shows Samba notes the overlap in the log but seems to work fine
>>
>> Can someone say if this should be fine, allowing that corp makes sure the uid are all unique in AD?
> 
>>> Are you going to be using more of the rfc2307 attributes than
>>> 'uidNumber' and 'gidNumber' ?
> 
>>> If not, then I suggest you totally ignore them, use one of the domains
>>> as your main domain and add a trust for the other, then use either the
>>> 'autorid' or 'rid' idmap backend.
> 
> Yes, we will need to use shell and homedir too (to support unix and linux shell logins for some users)

Oh well.

> 
> So to be clear, corp assigns uid and we must have Samba use these assignments

To be clear, whoever thought up the idea of assigning the uidNumber & 
gidNumber attributes for two domains from the same pool is, in my 
opinion, an idiot. Not even Windows does this, every DC has its own RID 
pool, you can look at a RID and know on which DC it was created.

> 
> Some of these uid are even, unfortunately, below 1000 currently

A really BIG idiot, didn't they have any idea about Unix ?

The problem is that you shouldn't overlap domain ranges, which you are 
going to have to and this will lead to a collision somewhere down the 
line when a user or group is created at the same time as another and 
they both get the same ID number (yes it will happen, it is not case of 
if, it is when).

I cannot recommend your set up, but it may be the only way, unless you 
can change the way that the rfc2307 attributes are allocated and, from 
the sound of it, it isn't going to happen.

Rowland