Michael Deutschmann
2006-Aug-25 06:23 UTC
[Samba] Concern about 3.0.22->3.0.23b upgrade (algorithmic SIDs issue)
I'm compiling samba-3.0.23b as I write this. However, after studying the documentation, I have some serious concerns about installing it. The WHATSNEW file says that the method of mapping unix-native uids and gids to SIDs has changed since 3.0.22. As I read this, this would imply that upgrading Samba will cause much breakage because domain users will no longer be able to access files they saved on their own harddisks. The obvious way to fix this is to insert explicit mappings to the (now legacy) algorithmic SIDs into Samba. But while it is possible to do this with the "net groupmap" command for gids, there's no "net usermap" command to do it with uids. And the user IDs are the bulk of the problem. As I read the documentation, dumping the winbindd database, tampering with it, and then restoring it might have the needed effect. But I don't use winbindd.... So, what's the procedure for a _seamless_ 22 -> 23b upgrade? ---- Michael Deutschmann <michael@talamasca.ocis.net>
Gerald (Jerry) Carter
2006-Aug-25 13:05 UTC
[Samba] Concern about 3.0.22->3.0.23b upgrade (algorithmic SIDs issue)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael,> The WHATSNEW file says that the method of mapping > unix-native uids and gids to SIDs has changed since 3.0.22. > As I read this, this would imply that upgrading Samba > will cause much breakage because domain users will no > longer be able to access files they saved on their > own harddisks. > > The obvious way to fix this is to insert explicit > mappings to the (now legacy) algorithmic SIDs into Samba. > But while it is possible to do this with the "net > groupmap" command for gids, there's no "net usermap" > command to do it with uids. And the user IDs are > the bulk of the problem.I would recommend a couple of things: (a) Use a test server. The 3.0.23 series has some aggressive changes wrt to user's and groups. (b) get the proposed 3.0.23c upgrade patch for 3.0.23b from http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz This fixes several issues with standalone servers, domain controllers, and local users on member servers. Now a few comments: If you are running a member server and using winbindd, the SID allocation for domain users and groups does not change. You can use "net groupmap" to set up SIDs for groups and 'pdbedit -a' to add users to the passdb (which will give them an explicit SID in the machine's domain). cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7vVqIR7qMdg1EfYRAnrvAJ0WkF5WwzKYZ08B2PZuXLl3A4IFkACgockp XpnXIyaecRNKl/zTZV7Knh0=uCNk -----END PGP SIGNATURE-----