Web lists-archives.com

Re: [Samba] samba 4 ad member - idmap = ad for machine accounts




On Mon, 18 Sep 2017 18:25:56 +0200
Denis Cardon via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi LPH,
> 
> > Drawbacks for RID, yes, multiple, but maybe it does not apply for
> > you.
> >
> > Read the Advantages and Disadvantages
> > https://wiki.samba.org/index.php/Idmap_config_ad
> > https://wiki.samba.org/index.php/Idmap_config_rid
>  >
> > My reason for NOT using RID on FILESERVER setups.
> > Only one : File ownership of domain users and groups are lost, when
> > the local ID mapping database corrupts.

I have seen this mentioned before, but surely all that will happen is
(like on a DC) you will see numbers instead of names and these numbers
would be valid again when Samba is repaired.

> 
> I think this line is an unfortunate "copy & paste" from a TDB backend 
> disadvantage listing. Indeed IDMAP RID is based on RID like its name 
> states, so there is no mapping database, only a local cache.
> 
> IMHO the only item that really matters in the "disadvantages" section
> is : "All users on the domain member get the same login shell and
> home directory base path assigned", and the others points are not
> that relevant.

I am thinking of re-writing that section, for instance:

User and group IDs are only the same on other domain members using the
rid back end, if the same ID ranges are configured for the domain.

Could be turned into an advantage if the word 'only' is removed

> The only two cases where I keep a rfc2307 mapping during a migration
> are technical/historical constraints (eg. uidnumber are used all over
> the place in UNIX contexts, like NFS mounts, user profiles, mail
> servers user mappings, old solaris workstations, etc.), or it is too
> much of a hassle to reset too many ACLs on too many file servers. In
> other cases, during classic upgrade I just switch old rfc2307 mapping
> to RID.
> 
> Handling rfc2307 mapping is not (yet) fully transparent, its command 
> line tooling is not fool proof, RSAT rfc2307 on win7 isn't really 
> ergonomic, and the "unix attributes" tab disappeared on win10...

What is really needed is something that uses the RID for ID and the
other RFC2307 attributes for login shell, Unix homedir etc  

> 
> msSFU30MaxUidNumber attribute has no pooling system like RID, so
> there is nothing preventing you from having two users with identical
> uid on a large domain... I had a talk with Andrew Bartlett about
> having a pooling system for uidnumber/gidnumber like the RID one,
> that would indeed make rfc2307 a first class citizen.

I think you are referring to having a UnixID master similar to the RID
master, I cannot be hard to do something like this (famous last words).

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba