On 09/08/2019 18:13, Stefan G. Weichinger via samba wrote:> Am 09.08.19 um 12:49 schrieb Rowland penny via samba: >> On 09/08/2019 10:33, Pisch Tam?s via samba wrote: >>>> You have to give any users you require visible on Unix a uidNumber >>>> attribute >>> Ok, I can do it with samba-tool user edit... > I think my rsnapshot-issue corresponds with this thread as well. > > wbinfo -i userXY shows different uids on the DC and the DM. > > Therefore the rsynced files belonging to uid-of-user-on-DM are shown as > plain uid-number on the DC and can't be accessed correctly. > > Seems I need to add a uid as well. > > sorry if I hijacked here, just adding my current view ... > >Ah, so you are backing up something from a DC to a Unix domain member, then you may have problems. There are three main methods of setting IDs: On a DC, by default, idmap.ldb is used, this stores the IDs in xidNumber attributes and the range starts at '3000000', these numbers are only used on a Samba AD DC. For Unix domain members, there are the 'rid'? and 'ad' winbind backends, the 'rid' backend calculates the ID from the RID and the low DOMAIN range set in smb.conf, so if the low range is '10000' and the first RID is '1000' the first user ID will be '11000' The 'ad' backend uses the uidNumber & gidNumber attibutes from AD, as long as they are inside the DOMAIN range set in smb.conf. The only way to get the same? IDs everywhere on Unix is to use the uidNumber? & gidNumber attributes, they will override the xidNumbers on a DC, but you will have to use the 'ad' backend. If you use the 'rid' backend, you can get the same IDs on Unix domain members, but only if you use the same 'idmap config' lines on all Unix domain members, however you will still have different IDs on the DC's. A different way around this would be to backup to a directory and then tar the directory into a file. Rowland
Am 09.08.19 um 19:57 schrieb Rowland penny via samba:> On 09/08/2019 18:13, Stefan G. Weichinger via samba wrote: >> Am 09.08.19 um 12:49 schrieb Rowland penny via samba: >>> On 09/08/2019 10:33, Pisch Tam?s via samba wrote: >>>>> You have to give any users you require visible on Unix a uidNumber >>>>> attribute >>>> Ok, I can do it with samba-tool user edit... >> I think my rsnapshot-issue corresponds with this thread as well. >> >> wbinfo -i userXY shows different uids on the DC and the DM. >> >> Therefore the rsynced files belonging to uid-of-user-on-DM are shown as >> plain uid-number on the DC and can't be accessed correctly. >> >> Seems I need to add a uid as well. >> >> sorry if I hijacked here, just adding my current view ... >> >> > Ah, so you are backing up something from a DC to a Unix domain member, > then you may have problems. > > There are three main methods of setting IDs: > > On a DC, by default, idmap.ldb is used, this stores the IDs in xidNumber > attributes and the range starts at '3000000', these numbers are only > used on a Samba AD DC. > > For Unix domain members, there are the 'rid'? and 'ad' winbind backends, > the 'rid' backend calculates the ID from the RID and the low DOMAIN > range set in smb.conf, so if the low range is '10000' and the first RID > is '1000' the first user ID will be '11000' > > The 'ad' backend uses the uidNumber & gidNumber attibutes from AD, as > long as they are inside the DOMAIN range set in smb.conf. > > The only way to get the same? IDs everywhere on Unix is to use the > uidNumber? & gidNumber attributes, they will override the xidNumbers on > a DC, but you will have to use the 'ad' backend. > > If you use the 'rid' backend, you can get the same IDs on Unix domain > members, but only if you use the same 'idmap config' lines on all Unix > domain members, however you will still have different IDs on the DC's. > > A different way around this would be to backup to a directory and then > tar the directory into a file.Rowland thank you for explaining this (or trying to explain, I still have to re-read and find it over-complicated). I try another rsync-parameter now to map via user/group-names instead of ids. For the use-case of backups/snapshots this might be enough.
On 10/08/2019 08:00, Stefan G. Weichinger via samba wrote:> Am 09.08.19 um 19:57 schrieb Rowland penny via samba: >> On 09/08/2019 18:13, Stefan G. Weichinger via samba wrote: >>> Am 09.08.19 um 12:49 schrieb Rowland penny via samba: >>>> On 09/08/2019 10:33, Pisch Tam?s via samba wrote: >>>>>> You have to give any users you require visible on Unix a uidNumber >>>>>> attribute >>>>> Ok, I can do it with samba-tool user edit... >>> I think my rsnapshot-issue corresponds with this thread as well. >>> >>> wbinfo -i userXY shows different uids on the DC and the DM. >>> >>> Therefore the rsynced files belonging to uid-of-user-on-DM are shown as >>> plain uid-number on the DC and can't be accessed correctly. >>> >>> Seems I need to add a uid as well. >>> >>> sorry if I hijacked here, just adding my current view ... >>> >>> >> Ah, so you are backing up something from a DC to a Unix domain member, >> then you may have problems. >> >> There are three main methods of setting IDs: >> >> On a DC, by default, idmap.ldb is used, this stores the IDs in xidNumber >> attributes and the range starts at '3000000', these numbers are only >> used on a Samba AD DC. >> >> For Unix domain members, there are the 'rid'? and 'ad' winbind backends, >> the 'rid' backend calculates the ID from the RID and the low DOMAIN >> range set in smb.conf, so if the low range is '10000' and the first RID >> is '1000' the first user ID will be '11000' >> >> The 'ad' backend uses the uidNumber & gidNumber attibutes from AD, as >> long as they are inside the DOMAIN range set in smb.conf. >> >> The only way to get the same? IDs everywhere on Unix is to use the >> uidNumber? & gidNumber attributes, they will override the xidNumbers on >> a DC, but you will have to use the 'ad' backend. >> >> If you use the 'rid' backend, you can get the same IDs on Unix domain >> members, but only if you use the same 'idmap config' lines on all Unix >> domain members, however you will still have different IDs on the DC's. >> >> A different way around this would be to backup to a directory and then >> tar the directory into a file. > Rowland thank you for explaining this (or trying to explain, I still > have to re-read and find it over-complicated). > > I try another rsync-parameter now to map via user/group-names instead of > ids. For the use-case of backups/snapshots this might be enough.I will try again ;-) On a DC, as standard, the numeric IDs are allocated on a first come basis from the '3000000' range. On Unix domain members it depends on two things, which winbind backend you use, linked with the Domain range set in AD, the examples on the Samba wiki use '10000-999999' If you use the 'rid' backend, then the IDs are calculated via this formula: ID = RID - BASE_RID + LOW_RANGE_ID The 'BASE_RID' is always '0' (unless you set it to something else, but why would you ?) So the formula is really: ID = RID + LOW_RANGE_ID So lets fill that in with data, '1000' for the RID and the low range from the wiki example '10000' ID = 1000 + 10000 Or ID = 11000 I will leave you to calculate the ID for Domain Users, given that its RID is always '513' I hope you can see that, if you do nothing, you will never get the same numeric ID on a DC and a Unix domain member using the winbind 'rid' backend. The only way to get the same numeric IDs everywhere is to use the winbind 'ad' backend. this relies on the addition of uidNumber attributes to users and gidNumber attributes to groups. These 'number' must be inside the range set in smb.conf, any 'numbers' outside the range will be ignored. You must ensure that Domain Users is given a gidNumber, or all your users will be ignored. HTH Rowland