On 10/08/2019 08:00, Stefan G. Weichinger via samba
wrote:> Am 09.08.19 um 19:57 schrieb Rowland penny via samba:
>> On 09/08/2019 18:13, Stefan G. Weichinger via samba wrote:
>>> Am 09.08.19 um 12:49 schrieb Rowland penny via samba:
>>>> On 09/08/2019 10:33, Pisch Tam?s via samba wrote:
>>>>>> You have to give any users you require visible on Unix
a uidNumber
>>>>>> attribute
>>>>> Ok, I can do it with samba-tool user edit...
>>> I think my rsnapshot-issue corresponds with this thread as well.
>>>
>>> wbinfo -i userXY shows different uids on the DC and the DM.
>>>
>>> Therefore the rsynced files belonging to uid-of-user-on-DM are
shown as
>>> plain uid-number on the DC and can't be accessed correctly.
>>>
>>> Seems I need to add a uid as well.
>>>
>>> sorry if I hijacked here, just adding my current view ...
>>>
>>>
>> Ah, so you are backing up something from a DC to a Unix domain member,
>> then you may have problems.
>>
>> There are three main methods of setting IDs:
>>
>> On a DC, by default, idmap.ldb is used, this stores the IDs in
xidNumber
>> attributes and the range starts at '3000000', these numbers are
only
>> used on a Samba AD DC.
>>
>> For Unix domain members, there are the 'rid'? and 'ad'
winbind backends,
>> the 'rid' backend calculates the ID from the RID and the low
DOMAIN
>> range set in smb.conf, so if the low range is '10000' and the
first RID
>> is '1000' the first user ID will be '11000'
>>
>> The 'ad' backend uses the uidNumber & gidNumber attibutes
from AD, as
>> long as they are inside the DOMAIN range set in smb.conf.
>>
>> The only way to get the same? IDs everywhere on Unix is to use the
>> uidNumber? & gidNumber attributes, they will override the
xidNumbers on
>> a DC, but you will have to use the 'ad' backend.
>>
>> If you use the 'rid' backend, you can get the same IDs on Unix
domain
>> members, but only if you use the same 'idmap config' lines on
all Unix
>> domain members, however you will still have different IDs on the
DC's.
>>
>> A different way around this would be to backup to a directory and then
>> tar the directory into a file.
> Rowland thank you for explaining this (or trying to explain, I still
> have to re-read and find it over-complicated).
>
> I try another rsync-parameter now to map via user/group-names instead of
> ids. For the use-case of backups/snapshots this might be enough.
I will try again ;-)
On a DC, as standard, the numeric IDs are allocated on a first come
basis from the '3000000' range.
On Unix domain members it depends on two things, which winbind backend
you use, linked with the Domain range set in AD, the examples on the
Samba wiki use '10000-999999'
If you use the 'rid' backend, then the IDs are calculated via this
formula:
ID = RID - BASE_RID + LOW_RANGE_ID
The 'BASE_RID' is always '0' (unless you set it to something
else, but
why would you ?)
So the formula is really:
ID = RID + LOW_RANGE_ID
So lets fill that in with data, '1000' for the RID and the low range
from the wiki example '10000'
ID = 1000 + 10000
Or
ID = 11000
I will leave you to calculate the ID for Domain Users, given that its
RID is always '513'
I hope you can see that, if you do nothing, you will never get the same
numeric ID on a DC and a Unix domain member using the winbind 'rid'
backend.
The only way to get the same numeric IDs everywhere is to use the
winbind 'ad' backend. this relies on the addition of uidNumber
attributes to users and gidNumber attributes to groups. These 'number'
must be inside the range set in smb.conf, any 'numbers' outside the
range will be ignored. You must ensure that Domain Users is given a
gidNumber, or all your users will be ignored.
HTH
Rowland