samba - Sep 2017 - Slow, Incorrect Group Resolution through Winbind

On Wed, 13 Sep 2017 12:37:17 -0400
Sonic <sonicsmith at gmail.com> wrote:
> On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > For the 'DOMAIN' domain you can use several different backends
> > (rid, ad etc) but I wouldn't use the tdb backend, how are you
going
> > to be sure you will get the same IDs on all Unix machines ?
> 
> That's exactly why I personally use rid for the DOMAIN domain.
> However, you seemed to suggest that my post was incorrect because I
> left the OP's desired backend (not my choice) in place during my
> reply, which still, as far as I can tell, is not an incorrect
> configuration via the info in the man page. If indeed my answer was
> incorrect than the man page needs some updating.
> 
> Chris
You posted:

Should be more like:
         idmap config STUDENTS : range = 16777216-33554431
         idmap config STUDENTS : backend = tdb

And, yes the smb.conf manpage does say this:

These are suitable for use in the default idmap configuration.

and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a Unix
domain member, because the manpage also says this:

these create mappings of their own using internal unixid counters and
store the mappings in a database.

This means there is no way to ensure that users and groups will get the
same ID on different Unix domain members.

Rowland

On Wed, Sep 13, 2017 at 12:49 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> And, yes the smb.conf manpage does say this:
>
> These are suitable for use in the default idmap configuration.
>
> and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a Unix
> domain member, because the manpage also says this:
>
> these create mappings of their own using internal unixid counters and
> store the mappings in a database.
>
> This means there is no way to ensure that users and groups will get the
> same ID on different Unix domain members.
I'm the first to agree that using tdb for the DOMAIN domain is not
ideal. However, it is not invalid (as far as I can tell from the
documentation).

Chris

On Wed, 13 Sep 2017 12:55:58 -0400
Sonic <sonicsmith at gmail.com> wrote:
> On Wed, Sep 13, 2017 at 12:49 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > And, yes the smb.conf manpage does say this:
> >
> > These are suitable for use in the default idmap configuration.
> >
> > and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a
> > Unix domain member, because the manpage also says this:
> >
> > these create mappings of their own using internal unixid counters
> > and store the mappings in a database.
> >
> > This means there is no way to ensure that users and groups will get
> > the same ID on different Unix domain members.
> 
> I'm the first to agree that using tdb for the DOMAIN domain is not
> ideal. However, it is not invalid (as far as I can tell from the
> documentation).
> 
> Chris
I am not saying it is invalid, I am just saying you should not use them
for the 'DOMAIN' backend because you have no way to get consistent IDs.

Rowland