Hello list, I have a few questions to ask... I am about to migrate from Samba 2 to 3 (3.5.9). I am going to use LDAP as backend in the future and came across something I don't understand. As far as I know the 'old' way to generate RIDs for users is to take their uidnumber, multiply it by two and add 1000. For computer accounts it would be 1001 instead of 1000. I am now trying to figure out how this works with 3.5.9 and ldapsam and if it is possible to re-enable the old behaviour. The only thing I could find was this: http://samba.org/samba/history/samba-3.0.11.html where it says: "Beginning with Samba 3.0.0beta3, the RID allocation functions have been moved into winbindd. Previously these were handled by each passdb backend. This means that winbindd must be running to automatically allocate RIDs for users and/or groups. Otherwise, smbd will use the 2.2 algorithm for generating new RIDs" I am not using winbindd but I noticed that new RIDs get created independently from the uidnumber of the account. In the Domain Object the value for sambaAlgorithmicRidBase is 1000, still new RIDs for computer accounts get created by incrementing the value of sambaNextRid which is 1027 right now. I tried to increase sambaAlgorithmicRidBase to 10000 so there wouldn't be a collision between old samba 3 accounts and the new ones but this only lead to smbd refusing to start saying that "The value of 'algorithmic RID base' has changed since the LDAP database was initialised.". Since the whole shebang isn't online yet I only have a handful of computer accounts for testing purposes with RIDs in the unwanted 1000s which I could delete. To make a long story short: how do I tell samba to just use the old behaviour for allocation RIDs ? Or if that's not possible: how do I change the algorithmic RID base afterwards ? Thanks, Stephan -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
From: steffo76 at gmx.de Date: Mon, 05 Sep 2011 16:51:57 +0200> I have a few questions to ask... I am about to migrate from Samba 2 > to 3 (3.5.9). I am going to use LDAP as backend in the future and > came across something I don't understand. As far as I know the 'old' > way to generate RIDs for users is to take their uidnumber, multiply > it by two and add 1000. For computer accounts it would be 1001 > instead of 1000. I am now trying to figure out how this works with > 3.5.9 and ldapsam and if it is possible to re-enable the old > behaviour.If you want to use old way, you have to use 'old' passdb such as smbpasswd or ldapsam_compat instead of ldapsam or tdbsam, although they can not keep the detail information of users. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
Ok, I couldn't find out what sambaAlgorithmicRidBase does but managed to find the source for the RID allocation in pdb_ldap.c where it says: /* Find the largest of the three attributes "sambaNextRid", "sambaNextGroupRid" and "sambaNextUserRid". I gave up on the concept of differentiating between user and group rids, and will use only "sambaNextRid" in the future. But for compatibility reasons I look if others have chosen different strategies -- VL */ Looking at the code I can see that it takes the highest of the three values, increments it and the incremented value is the new RID. So the value of sambaNextRid isn't the next RID but the currently highest RID. Is it safe to use the same strategy if I allocate RIDs via selfmade ldap scripts ? Get the values of all three attributes if they exist, take the highest, increment it in the directory and use the incremented value ? I need to add computer accounts from a server on which I can't (and don't want to) install samba making it impossible to run smbpasswd and would like to allocate the RIDs on my own. Same goes for user accounts which get created via a webmin module. Wouldn't it be safer to set sambaNextRid sambaNextGroupRid and sambaNextUserRid all to the same value ? If someone decides to use for instance sambaNextUserRid in the future and relies on the value being correct wouldn't he be reallocating existing RIDs ? -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zur?ck-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone
Please CC to the list. From: steffo76 at gmx.de Date: Mon, 05 Sep 2011 19:41:16 +0200> > If you want to use old way, you have to use 'old' passdb such as > > smbpasswd or ldapsam_compat instead of ldapsam or tdbsam, although > > they can not keep the detail information of users. > > OK, so far so good. tdbsam is not an option. How does the RID > generation work in 3.5.9 anyway - what is algorithmic rid base for ?"algorithmic rid base" works only under 'old' passdb.> Is this just the start value, the first RID that's being used ?For the 'new' passdb such as ldapsam and tdbsam, the start value is fixed at 1000.> So on first startup sambaNextRid and > sambaNextUserRid get set to this value ? More importantly: How do I > change these values without samba refusing to start, does Samba > store the initial Value for sambaAlgorithmicRidBase in secrets.tdb ?AFAIK, no official method is available. You are using ldapsam, so you may change the start values to change attributes correctly by modifiying LDAP directory directly. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>