Web lists-archives.com

Re: [Samba] Replace AD DC FS with 2 new servers




On Mon, 26 Nov 2018 17:27:29 +0100
Mark Amundsen via samba <samba@xxxxxxxxxxxxxxx> wrote:

> > >
> > > Is 'idmap rid' a better choice than ad? Can I still copy files
> > > with rsync in that case or will file ownership be mangled?
> > 
> > Quantify better ?
> > One isn't really better than the other, they are both usable, but in
> > different ways and reasons.
> > It might help if you read this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> I've read it several times, but i start to think that I simply don't
> understand the concepts.

The concepts are fairly simple, you only need uidNumber & gidNumber
attributes in AD if you want the same numeric ID's everywhere.

DC's use xidNumber attributes and these are only used on a DC.

You can use either the 'ad' or 'rid' backend on a Unix domain member
and only on a Unix domain member.

> 
> The old server does not have idmap config in the smb.conf (because it
> is a DC, right?).

You cannot use the 'idmap config' lines on a DC.

> 
> 
> 
> If I ls a file in the old fileserver, it looks like this:
> 
> -rwxrwx---+ 1 3000148 users  31M sep 19 15:16 10160-101.zip
> 
> So, 3000248 is a UID.

To be honest, it looks like an 'xidNumber', the '3000000' numbers
normally only occur on a Samba AD DC, was the old fileserver a DC ?

> 
> If I use winbind 'rid' backend and copy the file above to the new
> server with rsync it will keep 3000148 as owner, but will 3000148 be
> connected to the same login on both servers?

Not necessarily, as I said, '3000148' looks like an xidNumber from
idmap.ldb and, as is well known, you probably would get a different
number on another DC, the same will go for a Unix domain member using
the 'rid' backend.
The users UID on a Unix domain member using the 'rid' backend is
calculated from the users 'RID' with this equation:

ID = RID - BASE_RID + LOW_RANGE_ID

All RID's start from '1000' and the BASE_RID is '0' unless set to a
different number, so, from this and the info provided below, the
equation could be written as this:

ID = RID + 3000000

And using the lowest RID

ID = 1000 + 3000000

ID = 3001000

So, no, you will never see the ID '3000148' on a Unix domain member

> 
> 
> 
> I think that I'll just add a testserver to find out how it works.
> 
> [global]
>        security = ADS
>        workgroup = SAMDOM
>        realm = SAMDOM.EXAMPLE.COM
> 
>        log file = /var/log/samba/%m.log
>        log level = 1
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>        idmap config SAMDOM : backend = rid
>        idmap config SAMDOM : range = 3000000-3999999
> 
> Will that do (but replace SAMDOM with my realm)?

Yes, but just as long as you understand that you will never get the
same numeric ID's everywhere.

Rowland
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba