Re: [Samba] ACL SHARE

On Tue, 27 Jun 2017 21:55:15 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> But thats easy scriptable. ;-)
> I have my scripts always ready for that. 
> This is why i run samba in AD mode and not RID. 
> If you compair the AD backend disavantage
> Disadvantages: 
> If the Windows Active Directory Users and Computers (ADUC) program is
> not used, you have to manual track ID values to avoid duplicates. The
> values for the RFC2307 attributes must be set manually.

You don't have to manually track the IDs, if you are using your own
scripts, you can script around this by adding the two missing
attributes and then updating these after adding a new user or group

> To RID
> Disadvantages: 
> >> File ownership of domain users and groups are lost, when the local
> >> ID mapping database corrupts. << is ow so nasty.

Corrupt databases are possible whatever you use, but when you get one,
yes it is nasty.
> All users on the domain member get the same login shell and home
> directory base path assigned. User and group IDs are only the same on
> other domain members using the rid back end, if the same ID ranges
> are configured for the domain. All accounts and groups are
> automatically available on the domain member and individual entries
> cannot be excluded. Not recommended for multi-domain environments
> because objects in different domains having the same relative
> identifier (RID) get the same ID assigned.

Agree with all those points, though I should comment on the last one.
Work has been made to make it so that the DOMAIN ranges can overlap,
though this will mean that you will probably not be able to use
'winbind use default domain = yes', not sure if this will make 4.7
> And managing the uid/gids from win7 RSAT tools is fine for me. 
> But thats my opinion. 
> RID.. Fine for home or a office server without shares or shared home
> folders or guest shares. But you main document server, always for AD
> for me. It happend to me one.. 9 years ago. Arg .. At that point i
> also didnt have nice scripts.. A night work.. :-/ 

I would tend to agree, if you only have one or two fileservers, you
can use the 'rid' backend, any more than that, use the 'ad' backend. If
you use a DC as a fileserver (not really recommended, but sometimes you
have to) use the 'ad' backend.


