On 07/11/15 21:29, Michael Adam wrote:> On 2015-11-07 at 18:54 +0000, Rowland Penny wrote: >> On 07/11/15 18:23, Michael Adam wrote: >>> On 2015-11-07 at 18:00 +0000, Rowland Penny wrote: >>>> On 07/11/15 17:47, Jonathan Hunter wrote: >>>>> On 7 November 2015 at 17:01, Michael Adam <obnox at samba.org> wrote: >>>>>> Also, for all I know, the DC always has local unix user and group >>>>>> IDs, and does NOT use the rfc2307 attributes for this. (Unless >>>>>> this has changed recently, but I can't imagine how.) So there is >>>>>> nothing wrong with samba not using the rfc ids on the DC -- this is >>>>>> how it works by design. >>>>> Thanks Michael. I will see if I can use winbind locally instead of >>>>> sssd later this evening, now that I have fully switched to rfc2307 >>>>> rather than algorithmic mappings. >>>>> >>>>> One question on this, though - how is file ownership managed on the DC >>>> >from the samba side? I know DCs aren't "supposed" to be used as file >>>>> servers in the samba view of things (which is another story >>>>> altogether), but I can't understand why sometimes the ID mapping comes >>>> >from the rfc2307 attributes and then later on not. The mapping needs >>>>> to be consistent so that any files on disk are owned by the correct >>>>> UID (even if the local DC's Unix system doesn't necessarily know who >>>>> that UID is - that's the job of winbindd / sssd / etc. as I understand >>>>> it) ? >>>>> >>>>> There are a lot of people (including me) who for various reasons >>>>> really, really want to use a single machine as both a DC and a file >>>>> server. Having this work with any sort of consistency in UID mappings >>>>> is proving to be a little bit problematic :) >>>>> >>>>> It's frustrating for me because it works for a while (5 months until >>>>> yesterday) but then something triggers and it doesn't work again... >>>>> >>>>> Cheers >>>>> >>>>> J >>>>> >>>> The problem here is that whilst the uidNumbers & gidNumbers have always been >>>> consistent when used on a DC with winbind (now winbindd), you have never >>>> been able to use per-user home dirs and login shells. >>>> >>>> The user ID problem on DCs using xidNumbers from idmap.ldb is compounded by >>>> the fact that idmap.ldb can be and usually is different on DCs. >>>> >>>> The only way to get consistent IDs is to use RFC2307 attributes, but as I >>>> said, you cannot use the unixhomedirectory and loginshell attributes on a >>>> DC. >>> That is an interesting point, I'd really like to understand: >>> >>> Unless you want to access the shares also with NFS (e.g.), >>> then why are these consistent IDs important? >>> >>> If looking from windows clients, you don't even see them. >> Can I introduce you to the concept of an all Unix AD domain? > Please do! > > MichaelI would have thought it was fairly obvious, an AD domain without *any* windows machines. For this you would need the RFC2307 attributes, something that doesn't happen on the DC at present. I know that AD was a microsoft invention, but this doesn't make it a bad idea :-) and whilst Samba needs to be compatible with microsoft AD, there is no reason why it cannot build on it for a Unix AD domain, or to put it another way, SSO for Unix. There does not seem to be any sense in avoiding the license fees involved with a windows AD DC if you are also paying for the windows OS. Rowland
On 07/11/15 23:20, Rowland Penny wrote:> you would need the RFC2307 attributes, something that doesn't happen > on the DC at present.rfc2307 attributes are a reality on DCs and have been ever since their introduction. You just don't use winbind to access them.
On 2015-11-07 at 22:20 +0000, Rowland Penny wrote:> On 07/11/15 21:29, Michael Adam wrote: > >On 2015-11-07 at 18:54 +0000, Rowland Penny wrote: > >>On 07/11/15 18:23, Michael Adam wrote: > >>>On 2015-11-07 at 18:00 +0000, Rowland Penny wrote: > >>>>The problem here is that whilst the uidNumbers & gidNumbers > >>>>have always been consistent when used on a DC with winbind > >>>>(now winbindd), you have never been able to use per-user > >>>>home dirs and login shells. > >>>> > >>>>The user ID problem on DCs using xidNumbers from idmap.ldb > >>>>is compounded by the fact that idmap.ldb can be and usually > >>>>is different on DCs. > >>>> > >>>>The only way to get consistent IDs is to use RFC2307 > >>>>attributes, but as I said, you cannot use the > >>>>unixhomedirectory and loginshell attributes on a DC. > >>> > >>>That is an interesting point, I'd really like to understand: > >>> > >>>Unless you want to access the shares also with NFS (e.g.), > >>>then why are these consistent IDs important? > >>> > >>>If looking from windows clients, you don't even see them. > >> > >>Can I introduce you to the concept of an all Unix AD domain? > > > >Please do! > > I would have thought it was fairly obvious, an AD domain > without *any* windows machines.A-ha!> For this you would need the RFC2307 attributes, something that > doesn't happen on the DC at present.Ok, why do you strictly need it? I understand that it gives you a better feeling, and it may be convenient but which scenario really requires it? Most important is the central auth db. If the IDs on the various DCs and members in the domain do not have the same sets of unix IDs, then nevertheless - local login will work. - ssh login will work. - rsync will work if not using --numeric-ids. - cifs mount will work. What else does one need that would _require_ identical ids? All member servers could even have the same IDs by rfc attributes (or an ldap or rid idmap config).> I know that AD was a microsoft invention, but this doesn't make > it a bad idea :-) and whilst Samba needs to be compatible with > microsoft AD, there is no reason why it cannot build on it for > a Unix AD domain, or to put it another way, SSO for Unix.No problem at all with that! Just was a little dense initially... ;-) Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151108/ab8879de/signature.sig>
On 2015-11-07 at 23:51 +0100, buhorojo wrote:> On 07/11/15 23:20, Rowland Penny wrote: > >you would need the RFC2307 attributes, something that doesn't happen on > >the DC at present. > rfc2307 attributes are a reality on DCs and have been ever since their > introduction. You just don't use winbind to access them.You don't have a choice inside the samba server. Winbind is used there. You can use sssd in nsswitch if you want to create a potentially inconsistent setup. It is your call... :-) Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151108/b50e9c71/signature.sig>
On 07/11/15 23:28, Michael Adam wrote:> rsync will work if not using --numeric-ids.OK, I know that logins will work on all the samba machines, but I am not sure what you say about rsync is correct, this is what 'man rsync' has to say about '--numeric-ids': --numeric-ids don't map uid/gid values by user/group name So by my reading, if you don't use it, your uid/gids are mapped to the user/group and if you do, they aren't. From the problems that arose with trying to rsync Sysvol (yes I know this is useless on a Unix machine) where the xidNumbers are usually different from DC to DC, I am fairly sure this isn't going to work, the cure is to have the same idmap.ldb on all DCs. There is also the problem of when a user creates a tarball on one machine and then copies it to another and unpacks it, they may find that all the files no longer belong to them. If you log into *any* windows domain machine, you will get the same SID-RID, why should Unix be any different? Rowland
On 07/11/15 23:28, Michael Adam wrote:> Ok, why do you strictly need it? > I understand that it gives you a better feeling, > and it may be convenient but which scenario really > requires it? Most important is the central auth db. > If the IDs on the various DCs and members in the > domain do not have the same sets of unix IDs, then > nevertheless > - local login will work. > - ssh login will work. > - rsync will work if not using --numeric-ids. > - cifs mount will work. >Hi Michael, as I am mid setup of a new test domain, I thought I would try it as you seemed to be suggesting i.e. without using rfc2307 attributes. I have come to the conclusion that by using the latest Samba on the DC with winbindd, you are using something that is very very similar to a samba domain member that uses the 'rid' backend. You can connect a domain member using the 'rid' backend to the DC. You can login to the DC as a domain member You can login to the DC via ssh rsync seems to work. you can mount a share from the DC on a domain member, but unless you explicitly set the users local uid & gid in the mount command, the mount ends up belonging to the uid of the user on the DC. the [homes] share appears to be working again. Using the 'rid' backend, you get a user local group. So, even though what you say is mostly true, I still hold to my belief, the best option would be if all Samba machines could use the full set of RFC2307 attributes. Rowland