On 07/11/15 18:23, Michael Adam wrote:> On 2015-11-07 at 18:00 +0000, Rowland Penny wrote: >> On 07/11/15 17:47, Jonathan Hunter wrote: >>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote: >>>> Also, for all I know, the DC always has local unix user and group >>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless >>>> this has changed recently, but I can't imagine how.) So there is >>>> nothing wrong with samba not using the rfc ids on the DC -- this is >>>> how it works by design. >>> Thanks Michael. I will see if I can use winbind locally instead of >>> sssd later this evening, now that I have fully switched to rfc2307 >>> rather than algorithmic mappings. >>> >>> One question on this, though - how is file ownership managed on the DC >> >from the samba side? I know DCs aren't "supposed" to be used as file >>> servers in the samba view of things (which is another story >>> altogether), but I can't understand why sometimes the ID mapping comes >> >from the rfc2307 attributes and then later on not. The mapping needs >>> to be consistent so that any files on disk are owned by the correct >>> UID (even if the local DC's Unix system doesn't necessarily know who >>> that UID is - that's the job of winbindd / sssd / etc. as I understand >>> it) ? >>> >>> There are a lot of people (including me) who for various reasons >>> really, really want to use a single machine as both a DC and a file >>> server. Having this work with any sort of consistency in UID mappings >>> is proving to be a little bit problematic :) >>> >>> It's frustrating for me because it works for a while (5 months until >>> yesterday) but then something triggers and it doesn't work again... >>> >>> Cheers >>> >>> J >>> >> The problem here is that whilst the uidNumbers & gidNumbers have always been >> consistent when used on a DC with winbind (now winbindd), you have never >> been able to use per-user home dirs and login shells. >> >> The user ID problem on DCs using xidNumbers from idmap.ldb is compounded by >> the fact that idmap.ldb can be and usually is different on DCs. >> >> The only way to get consistent IDs is to use RFC2307 attributes, but as I >> said, you cannot use the unixhomedirectory and loginshell attributes on a >> DC. > That is an interesting point, I'd really like to understand: > > Unless you want to access the shares also with NFS (e.g.), > then why are these consistent IDs important? > > If looking from windows clients, you don't even see them. > > Cheers - MichaelCan I introduce you to the concept of an all Unix AD domain? Rowland
On 2015-11-07 at 18:54 +0000, Rowland Penny wrote:> On 07/11/15 18:23, Michael Adam wrote: > >On 2015-11-07 at 18:00 +0000, Rowland Penny wrote: > >>On 07/11/15 17:47, Jonathan Hunter wrote: > >>>On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote: > >>>>Also, for all I know, the DC always has local unix user and group > >>>>IDs, and does NOT use the rfc2307 attributes for this. (Unless > >>>>this has changed recently, but I can't imagine how.) So there is > >>>>nothing wrong with samba not using the rfc ids on the DC -- this is > >>>>how it works by design. > >>>Thanks Michael. I will see if I can use winbind locally instead of > >>>sssd later this evening, now that I have fully switched to rfc2307 > >>>rather than algorithmic mappings. > >>> > >>>One question on this, though - how is file ownership managed on the DC > >>>from the samba side? I know DCs aren't "supposed" to be used as file > >>>servers in the samba view of things (which is another story > >>>altogether), but I can't understand why sometimes the ID mapping comes > >>>from the rfc2307 attributes and then later on not. The mapping needs > >>>to be consistent so that any files on disk are owned by the correct > >>>UID (even if the local DC's Unix system doesn't necessarily know who > >>>that UID is - that's the job of winbindd / sssd / etc. as I understand > >>>it) ? > >>> > >>>There are a lot of people (including me) who for various reasons > >>>really, really want to use a single machine as both a DC and a file > >>>server. Having this work with any sort of consistency in UID mappings > >>>is proving to be a little bit problematic :) > >>> > >>>It's frustrating for me because it works for a while (5 months until > >>>yesterday) but then something triggers and it doesn't work again... > >>> > >>>Cheers > >>> > >>>J > >>> > >>The problem here is that whilst the uidNumbers & gidNumbers have always been > >>consistent when used on a DC with winbind (now winbindd), you have never > >>been able to use per-user home dirs and login shells. > >> > >>The user ID problem on DCs using xidNumbers from idmap.ldb is compounded by > >>the fact that idmap.ldb can be and usually is different on DCs. > >> > >>The only way to get consistent IDs is to use RFC2307 attributes, but as I > >>said, you cannot use the unixhomedirectory and loginshell attributes on a > >>DC. > >That is an interesting point, I'd really like to understand: > > > >Unless you want to access the shares also with NFS (e.g.), > >then why are these consistent IDs important? > > > >If looking from windows clients, you don't even see them. > > Can I introduce you to the concept of an all Unix AD domain?Please do! Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151107/b919e5c9/signature.sig>
On 07/11/15 21:29, Michael Adam wrote:> On 2015-11-07 at 18:54 +0000, Rowland Penny wrote: >> On 07/11/15 18:23, Michael Adam wrote: >>> On 2015-11-07 at 18:00 +0000, Rowland Penny wrote: >>>> On 07/11/15 17:47, Jonathan Hunter wrote: >>>>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote: >>>>>> Also, for all I know, the DC always has local unix user and group >>>>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless >>>>>> this has changed recently, but I can't imagine how.) So there is >>>>>> nothing wrong with samba not using the rfc ids on the DC -- this is >>>>>> how it works by design. >>>>> Thanks Michael. I will see if I can use winbind locally instead of >>>>> sssd later this evening, now that I have fully switched to rfc2307 >>>>> rather than algorithmic mappings. >>>>> >>>>> One question on this, though - how is file ownership managed on the DC >>>> >from the samba side? I know DCs aren't "supposed" to be used as file >>>>> servers in the samba view of things (which is another story >>>>> altogether), but I can't understand why sometimes the ID mapping comes >>>> >from the rfc2307 attributes and then later on not. The mapping needs >>>>> to be consistent so that any files on disk are owned by the correct >>>>> UID (even if the local DC's Unix system doesn't necessarily know who >>>>> that UID is - that's the job of winbindd / sssd / etc. as I understand >>>>> it) ? >>>>> >>>>> There are a lot of people (including me) who for various reasons >>>>> really, really want to use a single machine as both a DC and a file >>>>> server. Having this work with any sort of consistency in UID mappings >>>>> is proving to be a little bit problematic :) >>>>> >>>>> It's frustrating for me because it works for a while (5 months until >>>>> yesterday) but then something triggers and it doesn't work again... >>>>> >>>>> Cheers >>>>> >>>>> J >>>>> >>>> The problem here is that whilst the uidNumbers & gidNumbers have always been >>>> consistent when used on a DC with winbind (now winbindd), you have never >>>> been able to use per-user home dirs and login shells. >>>> >>>> The user ID problem on DCs using xidNumbers from idmap.ldb is compounded by >>>> the fact that idmap.ldb can be and usually is different on DCs. >>>> >>>> The only way to get consistent IDs is to use RFC2307 attributes, but as I >>>> said, you cannot use the unixhomedirectory and loginshell attributes on a >>>> DC. >>> That is an interesting point, I'd really like to understand: >>> >>> Unless you want to access the shares also with NFS (e.g.), >>> then why are these consistent IDs important? >>> >>> If looking from windows clients, you don't even see them. >> Can I introduce you to the concept of an all Unix AD domain? > Please do! > > MichaelI would have thought it was fairly obvious, an AD domain without *any* windows machines. For this you would need the RFC2307 attributes, something that doesn't happen on the DC at present. I know that AD was a microsoft invention, but this doesn't make it a bad idea :-) and whilst Samba needs to be compatible with microsoft AD, there is no reason why it cannot build on it for a Unix AD domain, or to put it another way, SSO for Unix. There does not seem to be any sense in avoiding the license fees involved with a windows AD DC if you are also paying for the windows OS. Rowland