Web lists-archives.com

Re: [Samba] [samba] Winbindd without RFC2307 question




2017-07-20 16:06 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Thu, 20 Jul 2017 15:00:17 +0200
> mathias dufresne via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Because it is a migration, data are existing for years. Files and
> > directories are owned by UNIX users (at least at file system level).
> > To keep ownership I see only two choices: reproduce UID/GID on the
> > new server or change rights on every files and folders.
>
> Yes, they are really the only two choices.
>

I had to try...


>
> > Yep, to avoid that mess using UNIX attributes into AD LDAP tree will
> > greatly simplify that dumb task.
> >
>
> Using RFC2307 attributes is the only way to get consistent Unix IDs
> everywhere, on DCs and fileservers.
>

I'm still explaining that to my client... but it seems this one like mess.
And I'm paid to do what they ask (after I told them what I think of what
they ask me to do, at least there's a fun part in that)


>
> > I would have thought as Louis that the result of using idmap_rid (or
> > more generally not using centralized DB to store UID/GID list) would
> > father randomly attributed UID/GID.
>
> If you use the 'rid' backend, the user and group IDs are calculated
> from the RID using this formula:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> The BASE_RID is '0' by default, so this becomes:
>
> ID = RID + LOW_RANGE_ID
>
> The RID is unique, so as long as you use the same smb.conf on all Unix
> domain members, you will always get the same IDs. You just cannot
> specify what ID a user or group will get.
>

OK so there's a way to keep coherent UID/GID on members without RFC2307.
That needs all members use RID backend (and perhaps a recent enough Samba
version) but still, it's possible. Nice to learn :)

For those in the back who do not follow: RID is last part of objectSID LDAP
attribute. Last part = after the last "-" (dash?)


>
> >
> > My thought, which can easily be wrong, was:
> > members work identically (same range to attribute xID)
> > members don't discuss together to exchange UID/GID list
> >
> > So they will attribute UID/GID on the fly, with first logged user
> > (let's call that one userA) getting first available UID/GID.
> > Then if on some other server the first logged user (let's call this
> > one userB) is not the same than the first user on the other server
> > If members really attribute first number to first connected users,
> > this will result userA on serverA having same UID/GID than userB on
> > serverB.
> >
> > I could be wrong but if it the case I would greatly appreciate to be
> > explained why I was wrong.
>
> Yes, you are wrong ;-)
>

No matter you gave me a nice explanation ;)


> Well, wrong when it comes to Unix domain members, but this is very much
> the way a DC works.
>

If DC would generate their xID using some method as RID backend that could
have same lot of time regarding xID coherency and GPO retrieval... at least
to me.


>
> > That's a Samba files server migration. A samba server is existing, it
> > hosts data, data are owned by users, user's UID/GID were generated by
> > Samba on the old server (security = ADS + passdb backend =
> > tdbsam:/etc/samba/private/passdb.tdb).
> >
> > As data are existing and are owned by users, I must keep user
> > ownership on the new server.
> >
> > To keep user ownership the two options I see are (as already written
> > earlier in that mail) to reproduce UID/GID in users list or if users'
> > UID/GID are changed I must also change rights applied on the FS.
> >
> > Now you asked for my smb.conf, the one from the new server is the one
> > I exposed in my first mail in that thread.
> > Regarding the old server I put in parenthesis earlier the only two
> > lines which seems (to me) related to authentication and xID
> > attribution.
> >
>
> It sounds to me that your best option will be to carry out a
> 'classicupgrade'
>

Nothing like :/
They have a working MS AD domain which they are not too fond to change.
Even schema update to include RFC2307 seems too much...
Anyway I just learned they were attributing manually UID/GID using scripts.
Perhaps digging into them I'll find a list of username:uid:gid:SID which
would save a lot of... time.

Thank you for your help, have a nice day : )

mathias


>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba