On 07/11/15 17:47, Jonathan Hunter wrote:> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote: >> Also, for all I know, the DC always has local unix user and group >> IDs, and does NOT use the rfc2307 attributes for this. (Unless >> this has changed recently, but I can't imagine how.) So there is >> nothing wrong with samba not using the rfc ids on the DC -- this is >> how it works by design. > Thanks Michael. I will see if I can use winbind locally instead of > sssd later this evening, now that I have fully switched to rfc2307 > rather than algorithmic mappings. > > One question on this, though - how is file ownership managed on the DC > from the samba side? I know DCs aren't "supposed" to be used as file > servers in the samba view of things (which is another story > altogether), but I can't understand why sometimes the ID mapping comes > from the rfc2307 attributes and then later on not. The mapping needs > to be consistent so that any files on disk are owned by the correct > UID (even if the local DC's Unix system doesn't necessarily know who > that UID is - that's the job of winbindd / sssd / etc. as I understand > it) ? > > There are a lot of people (including me) who for various reasons > really, really want to use a single machine as both a DC and a file > server. Having this work with any sort of consistency in UID mappings > is proving to be a little bit problematic :) > > It's frustrating for me because it works for a while (5 months until > yesterday) but then something triggers and it doesn't work again... > > Cheers > > J >The problem here is that whilst the uidNumbers & gidNumbers have always been consistent when used on a DC with winbind (now winbindd), you have never been able to use per-user home dirs and login shells. The user ID problem on DCs using xidNumbers from idmap.ldb is compounded by the fact that idmap.ldb can be and usually is different on DCs. The only way to get consistent IDs is to use RFC2307 attributes, but as I said, you cannot use the unixhomedirectory and loginshell attributes on a DC. Rowland
On 2015-11-07 at 18:00 +0000, Rowland Penny wrote:> On 07/11/15 17:47, Jonathan Hunter wrote: > >On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote: > >>Also, for all I know, the DC always has local unix user and group > >>IDs, and does NOT use the rfc2307 attributes for this. (Unless > >>this has changed recently, but I can't imagine how.) So there is > >>nothing wrong with samba not using the rfc ids on the DC -- this is > >>how it works by design. > >Thanks Michael. I will see if I can use winbind locally instead of > >sssd later this evening, now that I have fully switched to rfc2307 > >rather than algorithmic mappings. > > > >One question on this, though - how is file ownership managed on the DC > >from the samba side? I know DCs aren't "supposed" to be used as file > >servers in the samba view of things (which is another story > >altogether), but I can't understand why sometimes the ID mapping comes > >from the rfc2307 attributes and then later on not. The mapping needs > >to be consistent so that any files on disk are owned by the correct > >UID (even if the local DC's Unix system doesn't necessarily know who > >that UID is - that's the job of winbindd / sssd / etc. as I understand > >it) ? > > > >There are a lot of people (including me) who for various reasons > >really, really want to use a single machine as both a DC and a file > >server. Having this work with any sort of consistency in UID mappings > >is proving to be a little bit problematic :) > > > >It's frustrating for me because it works for a while (5 months until > >yesterday) but then something triggers and it doesn't work again... > > > >Cheers > > > >J > > > > The problem here is that whilst the uidNumbers & gidNumbers have always been > consistent when used on a DC with winbind (now winbindd), you have never > been able to use per-user home dirs and login shells. > > The user ID problem on DCs using xidNumbers from idmap.ldb is compounded by > the fact that idmap.ldb can be and usually is different on DCs. > > The only way to get consistent IDs is to use RFC2307 attributes, but as I > said, you cannot use the unixhomedirectory and loginshell attributes on a > DC.That is an interesting point, I'd really like to understand: Unless you want to access the shares also with NFS (e.g.), then why are these consistent IDs important? If looking from windows clients, you don't even see them. Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151107/20dc18b6/signature.sig>
On 07/11/15 19:00, Rowland Penny wrote:> you cannot use the unixhomedirectory and loginshell attributes on a DC.Unless, as the OP is doing, use sssd. HTH
On 07/11/15 18:23, Michael Adam wrote:> On 2015-11-07 at 18:00 +0000, Rowland Penny wrote: >> On 07/11/15 17:47, Jonathan Hunter wrote: >>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote: >>>> Also, for all I know, the DC always has local unix user and group >>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless >>>> this has changed recently, but I can't imagine how.) So there is >>>> nothing wrong with samba not using the rfc ids on the DC -- this is >>>> how it works by design. >>> Thanks Michael. I will see if I can use winbind locally instead of >>> sssd later this evening, now that I have fully switched to rfc2307 >>> rather than algorithmic mappings. >>> >>> One question on this, though - how is file ownership managed on the DC >> >from the samba side? I know DCs aren't "supposed" to be used as file >>> servers in the samba view of things (which is another story >>> altogether), but I can't understand why sometimes the ID mapping comes >> >from the rfc2307 attributes and then later on not. The mapping needs >>> to be consistent so that any files on disk are owned by the correct >>> UID (even if the local DC's Unix system doesn't necessarily know who >>> that UID is - that's the job of winbindd / sssd / etc. as I understand >>> it) ? >>> >>> There are a lot of people (including me) who for various reasons >>> really, really want to use a single machine as both a DC and a file >>> server. Having this work with any sort of consistency in UID mappings >>> is proving to be a little bit problematic :) >>> >>> It's frustrating for me because it works for a while (5 months until >>> yesterday) but then something triggers and it doesn't work again... >>> >>> Cheers >>> >>> J >>> >> The problem here is that whilst the uidNumbers & gidNumbers have always been >> consistent when used on a DC with winbind (now winbindd), you have never >> been able to use per-user home dirs and login shells. >> >> The user ID problem on DCs using xidNumbers from idmap.ldb is compounded by >> the fact that idmap.ldb can be and usually is different on DCs. >> >> The only way to get consistent IDs is to use RFC2307 attributes, but as I >> said, you cannot use the unixhomedirectory and loginshell attributes on a >> DC. > That is an interesting point, I'd really like to understand: > > Unless you want to access the shares also with NFS (e.g.), > then why are these consistent IDs important? > > If looking from windows clients, you don't even see them. > > Cheers - MichaelCan I introduce you to the concept of an all Unix AD domain? Rowland
On 07/11/15 18:42, buhorojo wrote:> On 07/11/15 19:00, Rowland Penny wrote: >> you cannot use the unixhomedirectory and loginshell attributes on a DC. > Unless, as the OP is doing, use sssd. > HTH > >This is the Samba mailing list, not the sssd one. Having to use sssd or nlscd is the problem. If you want to use the DC as a fileserver, winbindd is as much use as a chocolate fireguard! I personally feel it is wrong that winbindd works differently based on whether it is used on a DC or a Domain Member. Unfortunately, I do not have the skills to try and sort this problem, I can understand the problems in getting everything to work in a multi-domain forest, but I seem to remember reading that microsoft are moving away from the concept of multi-domains and moving to recommending using sites. Rowland