> > > > Is 'idmap rid' a better choice than ad? Can I still copy files with > > rsync in that case or will file ownership be mangled? > > Quantify better ? > One isn't really better than the other, they are both usable, but in > different ways and reasons. > It might help if you read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_MemberI've read it several times, but i start to think that I simply don't understand the concepts. The old server does not have idmap config in the smb.conf (because it is a DC, right?). If I ls a file in the old fileserver, it looks like this: -rwxrwx---+ 1 3000148 users 31M sep 19 15:16 10160-101.zip So, 3000248 is a UID. If I use winbind 'rid' backend and copy the file above to the new server with rsync it will keep 3000148 as owner, but will 3000148 be connected to the same login on both servers? I think that I'll just add a testserver to find out how it works. [global] security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 3000000-3999999 Will that do (but replace SAMDOM with my realm)? -Mark-
On Mon, 26 Nov 2018 17:27:29 +0100 Mark Amundsen via samba <samba at lists.samba.org> wrote:> > > > > > Is 'idmap rid' a better choice than ad? Can I still copy files > > > with rsync in that case or will file ownership be mangled? > > > > Quantify better ? > > One isn't really better than the other, they are both usable, but in > > different ways and reasons. > > It might help if you read this: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > I've read it several times, but i start to think that I simply don't > understand the concepts.The concepts are fairly simple, you only need uidNumber & gidNumber attributes in AD if you want the same numeric ID's everywhere. DC's use xidNumber attributes and these are only used on a DC. You can use either the 'ad' or 'rid' backend on a Unix domain member and only on a Unix domain member.> > The old server does not have idmap config in the smb.conf (because it > is a DC, right?).You cannot use the 'idmap config' lines on a DC.> > > > If I ls a file in the old fileserver, it looks like this: > > -rwxrwx---+ 1 3000148 users 31M sep 19 15:16 10160-101.zip > > So, 3000248 is a UID.To be honest, it looks like an 'xidNumber', the '3000000' numbers normally only occur on a Samba AD DC, was the old fileserver a DC ?> > If I use winbind 'rid' backend and copy the file above to the new > server with rsync it will keep 3000148 as owner, but will 3000148 be > connected to the same login on both servers?Not necessarily, as I said, '3000148' looks like an xidNumber from idmap.ldb and, as is well known, you probably would get a different number on another DC, the same will go for a Unix domain member using the 'rid' backend. The users UID on a Unix domain member using the 'rid' backend is calculated from the users 'RID' with this equation: ID = RID - BASE_RID + LOW_RANGE_ID All RID's start from '1000' and the BASE_RID is '0' unless set to a different number, so, from this and the info provided below, the equation could be written as this: ID = RID + 3000000 And using the lowest RID ID = 1000 + 3000000 ID = 3001000 So, no, you will never see the ID '3000148' on a Unix domain member> > > > I think that I'll just add a testserver to find out how it works. > > [global] > security = ADS > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > > log file = /var/log/samba/%m.log > log level = 1 > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 3000000-3999999 > > Will that do (but replace SAMDOM with my realm)?Yes, but just as long as you understand that you will never get the same numeric ID's everywhere. Rowland
> > If I ls a file in the old fileserver, it looks like this: > > > > -rwxrwx---+ 1 3000148 users 31M sep 19 15:16 10160-101.zip > > > > So, 3000248 is a UID. > > To be honest, it looks like an 'xidNumber', the '3000000' numbers > normally only occur on a Samba AD DC, was the old fileserver a DC ?Yes, old server is both AD DC and fileserver.> > > > If I use winbind 'rid' backend and copy the file above to the new > > server with rsync it will keep 3000148 as owner, but will 3000148 be > > connected to the same login on both servers? > > Not necessarily, as I said, '3000148' looks like an xidNumber from > idmap.ldb and, as is well known, you probably would get a different > number on another DC, the same will go for a Unix domain member using > the 'rid' backend. > The users UID on a Unix domain member using the 'rid' backend is > calculated from the users 'RID' with this equation: > > ID = RID - BASE_RID + LOW_RANGE_ID > > All RID's start from '1000' and the BASE_RID is '0' unless set to a > different number, so, from this and the info provided below, the > equation could be written as this: > > ID = RID + 3000000 > > And using the lowest RID > > ID = 1000 + 3000000 > > ID = 3001000 > > So, no, you will never see the ID '3000148' on a Unix domain memberHad to leave this project for a while but I think i'm on top of it now. Went for RID in the end, just have to figure out how to best copy all files from oldserver to newserver, but I think I'll figure it out. I am very gratuful for all your help! I'll make a donatation. -Mark-