samba - May 2003 - An old winbind syncronization question

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First the setup:
Samba 2.2.3a on Debian testing, built with ACL support on XFS filesystem.

NT4 PDC (Eventually we plan to implement Samba PDC, but that's a ways off.)

Secondary offsite Samba server, same config as above, rsyncing data 
directories every 5-minutes over T1.

Offsite Backup server grabbing data off the live Samba server nightly 
via rsync.

We are implementing Winbind on the Samba server and it seems like a 
dream come true (Single point of Acct Management!!), but I am 
anticipating 2 problems.

1) Samba server dies and secondary server goes live.  Winbind mappings 
are per machine, so all file ownerships are blown away.  We're not using 
NFS in our shop, but I suspect this would be a similar problem there. In 
this case, though only one of these servers is ever live at a time.

2) when rebuilding the primary server from the offsite backups, how can 
I ensure that the winbind mapping is carried over to avoid the same 
problem as #1?

I researched the list archives and saw mention that this was being 
worked on back in 2001.  Has any progress been made and I just missed 
the release?  If syncronization is still impossible, if I dump 
winbindd_idmap.tdb to my backup server, would restoring that be enough 
to get everything back to square 1?

Thanks in advance.

- -- 
- -Ron

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
"Yes Janet, life's pretty cheap to THAT type." -- Brad Majors
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+uutrvsPR55EQ+eIRAnErAJ4j8/jJjiVJeuke7fkVbvbLUJh/SwCdGMjE
Q8IQqUOuy1UUwAjjNDlpQcU=Pjn2
-----END PGP SIGNATURE-----

On Fri, 2003-05-09 at 09:42, The Fresh Prince of Darkness
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> First the setup:
> Samba 2.2.3a on Debian testing, built with ACL support on XFS filesystem.
This version has serious security issues, you should run Samba 2.2.8a.  

In particular, the version in debian testing *has not* been patched, (I
understand there are various internal debian reasons for this).  Either
run Samba 3.0 from unstable, or the version from the security archive
for the current stable (2.2.4a-12.1 I think).
> NT4 PDC (Eventually we plan to implement Samba PDC, but that's a ways
off.)
> 
> Secondary offsite Samba server, same config as above, rsyncing data 
> directories every 5-minutes over T1.
> 
> Offsite Backup server grabbing data off the live Samba server nightly 
> via rsync.
> 
> We are implementing Winbind on the Samba server and it seems like a 
> dream come true (Single point of Acct Management!!), but I am 
> anticipating 2 problems.
> 
> 1) Samba server dies and secondary server goes live.  Winbind mappings 
> are per machine, so all file ownerships are blown away.  We're not
using
> NFS in our shop, but I suspect this would be a similar problem there. In 
> this case, though only one of these servers is ever live at a time.
This is being worked on - the provision for a centralized idmap - but is
not available in current releases.
> 2) when rebuilding the primary server from the offsite backups, how can 
> I ensure that the winbind mapping is carried over to avoid the same 
> problem as #1?
Back up the winbind_idmap.tdb.  You can get a 'safe' copy with
tdbbackup.
> I researched the list archives and saw mention that this was being 
> worked on back in 2001.  Has any progress been made and I just missed 
> the release?  If syncronization is still impossible, if I dump 
> winbindd_idmap.tdb to my backup server, would restoring that be enough 
> to get everything back to square 1?
As long as you copied the files with the '--numeric-ids' option to rsync
- otherwise the IDs would actually be resolved via getpwnam() to a
different idmap.  Now this might be the right, or the wrong thing
depending on the circumstances.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030509/0fb9fd15/attachment.bin