search for: idmap_autorid

...identify the user and the domain it > >>> comes from, surely we can find a way to do this for Samba, we are > >>> half way there with the 'rid' backend. > >> > >> I'm not really what "there" implies for you, but it seems > >> idmap_autorid is eventually the backend that takes you "there". :) > > > > No it doesn't, at the moment, the only way to get the same ID on all > > Unix machines (this includes DC's) is to use the 'ad' backend. > > Sure. But only certain use cases require the s...

...er for Windows > >users and groups, both uid and gid have the same value and are the > >xid. That way Samba can also assign the ownership of files to a > >group. The idmap backend has to be able to support XID though, not > >all idmap backends do so. > > in particular idmap_autorid, idmap_rid and idmap_script support this > so called mode, idmap_ad doesn't. > > -slow > I take it that xid is used internally by Samba to identify calculated ID's, because the only place a normal user will come across them is in idmap.ldb. If this is correct, then it doesn...

...gt; > > Windows Uses the SID-RID to identify the user and the domain it > > comes from, surely we can find a way to do this for Samba, we are > > half way there with the 'rid' backend. > > I'm not really what "there" implies for you, but it seems > idmap_autorid is eventually the backend that takes you "there". :) No it doesn't, at the moment, the only way to get the same ID on all Unix machines (this includes DC's) is to use the 'ad' backend. You think autorid is the way forward, well sorry, but in my opinion, it isn't. Row...

...ses the SID-RID to identify the user and the domain it >>>> comes from, surely we can find a way to do this for Samba, we are >>>> half way there with the 'rid' backend. >>> I'm not really what "there" implies for you, but it seems >>> idmap_autorid is eventually the backend that takes you "there". :) >> No it doesn't, at the moment, the only way to get the same ID on all >> Unix machines (this includes DC's) is to use the 'ad' backend. > Sure. But only certain use cases require the same id on all machi...

...ba release all you wish, it > > doesn't make it truth. I will continue helping the original post. > > I refer you to my other post > > Rowland Penny > > Samba team member > This does make me wonder whether it would be worth adding an optional non-default parameter to idmap_autorid to have it use the sssd slicing algorithm to determine ranges. Sort of like SSSD has an autorid compatibility parameter.

...th uid and gid have the same value and are the > >> >xid. That way Samba can also assign the ownership of files to a > >> >group. The idmap backend has to be able to support XID though, not > >> >all idmap backends do so. > >> > >> in particular idmap_autorid, idmap_rid and idmap_script support > >> this so called mode, idmap_ad doesn't. > > > >I take it that xid is used internally by Samba to identify calculated > >ID's, because the only place a normal user will come across them is > >in idmap.ldb. If this is co...

...rote: >On Sun, 24 Feb 2019 19:25:14 +0100 >Ralph Böhme <slow at samba.org> wrote: >> Am 24.02.2019 um 18:48 schrieb Rowland Penny via samba <samba at lists.samba.org>: >> >> I'm not really what "there" implies for you, but it seems >> >> idmap_autorid is eventually the backend that takes you "there". :) >> > >> > No it doesn't, at the moment, the only way to get the same ID on all >> > Unix machines (this includes DC's) is to use the 'ad' backend. >> >> Sure. But only certain use c...

...Boeck <hanno at hboeck.de> * BUG 12746: lib: debug: Avoid negative array access. * BUG 12748: cleanupdb: Fix a memory read error. o Ralph Boehme <slow at samba.org> * BUG 7537: streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY. * BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from other backends. * BUG 12565: vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY. * BUG 12615: manpages/vfs_fruit: Document global options. * BUG 12624: lib/pthreadpool: Fix a memory leak. * BUG 12727: Lookup-domain for well-kn...

...Boeck <hanno at hboeck.de> * BUG 12746: lib: debug: Avoid negative array access. * BUG 12748: cleanupdb: Fix a memory read error. o Ralph Boehme <slow at samba.org> * BUG 7537: streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY. * BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from other backends. * BUG 12565: vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY. * BUG 12615: manpages/vfs_fruit: Document global options. * BUG 12624: lib/pthreadpool: Fix a memory leak. * BUG 12727: Lookup-domain for well-kn...

...dentify the user and the domain it > >>>> comes from, surely we can find a way to do this for Samba, we are > >>>> half way there with the 'rid' backend. > >>> I'm not really what "there" implies for you, but it seems > >>> idmap_autorid is eventually the backend that takes you "there". :) > >> No it doesn't, at the moment, the only way to get the same ID on > >> all Unix machines (this includes DC's) is to use the 'ad' backend. > > Sure. But only certain use cases require the same...

...how would winbind know which is which ? It only strips the default domain. All the others are untouched. It is (essentially) also only in the getpwnam() and pam codepaths, not in the SID->ID stuff, we generally avoid going via names as much as possible. This is by design. The while idea of idmap_autorid and idmap_rid is that we don't want to rely on any remote communication (eg name->sid calls and reverse) to determine the mapping, as that could fail at the critical momenet. > This is the only reason I can think of that could change the ID. > > Can you think of another reason An...

...>users and groups, both uid and gid have the same value and are the >> >xid. That way Samba can also assign the ownership of files to a >> >group. The idmap backend has to be able to support XID though, not >> >all idmap backends do so. >> >> in particular idmap_autorid, idmap_rid and idmap_script support this >> so called mode, idmap_ad doesn't. > >I take it that xid is used internally by Samba to identify calculated >ID's, because the only place a normal user will come across them is in >idmap.ldb. If this is correct, then it doesn'...

...dows Uses the SID-RID to identify the user and the domain it >>> comes from, surely we can find a way to do this for Samba, we are >>> half way there with the 'rid' backend. >> >> I'm not really what "there" implies for you, but it seems >> idmap_autorid is eventually the backend that takes you "there". :) > > No it doesn't, at the moment, the only way to get the same ID on all > Unix machines (this includes DC's) is to use the 'ad' backend. Sure. But only certain use cases require the same id on all machines, m...

...al post. > > > > > > I refer you to my other post > > > > > > Rowland Penny > > > > > > Samba team member > > > > > > > This does make me wonder whether it would be worth adding an optional > > non-default parameter to idmap_autorid to have it use the sssd slicing > > algorithm to determine ranges. Sort of like SSSD has an autorid > > compatibility parameter. > > Happy to review if you write it :-). Anything that > will remove friction moving to/from winbindd/sssd > would be good for users ! > We ca...

...domain. All the others are > > untouched. It is > > (essentially) also only in the getpwnam() and pam codepaths, not in > > the > > SID->ID stuff, we generally avoid going via names as much as > > possible. > > > > This is by design. The while idea of idmap_autorid and idmap_rid > > is > > that we don't want to rely on any remote communication (eg name- > > >sid > > calls and reverse) to determine the mapping, as that could fail at > > the > > critical momenet. > > > > Then when why does 'man smb.co...

On 2019-02-25 at 11:32 +0000 Rowland Penny via samba sent off: > > (I take it xid stands for both uid and gid?) > > No, I think it was chosen to differentiate them from uidNumber & > gidNumber attributes, they are similar but not the same. They also only > exist on DC's in Windows the owner of a file can be a group. In the unix world the main owner is always a user.

...rom wiki.samba.org: >> https://wiki.samba.org/index.php/Idmap_config_autorid > > Cannot argue with that fact, it is there, but it also says it is meant > to be used with the 'DOMAIN' domain not the '*' domain, looks like I > will have to make that more prominent. idmap_autorid can be used as default domain, Alexander's idmap config is perfectly fine. -slow

...which is why I am asking) and if so how ? a group doesn't have a password so how can it authenticate? > My view is that we should always have mapped SIDs to both a UID and GID, > and I understand that in general, we are doing that now in new backends. > See for example idmap_rid and idmap_autorid. > > The only tricky bit is that while a user can be put in an extra group to > pick up any permissions assigned to it as a group, a group can't get > user-based permissions, so can't obtain the extra rights associated with > file ownership. Again I ask, what file ownership?...

On Sun, 24 Feb 2019 15:58:39 +0100 Ralph Böhme <slow at samba.org> wrote: > Am 24.02.2019 um 12:46 schrieb Rowland Penny via samba > <samba at lists.samba.org>: > > Seen where ? and how ? > > one problem is that, by design, as a domain member, it makes us > behave different compared to a Windows system. Hic sunt dracones. Why not just say 'here be

...void negative array access. > > * BUG 12748: cleanupdb: Fix a memory read error. > > > > o Ralph Boehme <slow at samba.org> > > * BUG 7537: streams_xattr and kernel oplocks results in > > NT_STATUS_NETWORK_BUSY. > > * BUG 11961: winbindd: idmap_autorid allocates ids for > unknown SIDs from other > > backends. > > * BUG 12565: vfs_fruit: Resource fork open request with > > flags=O_CREAT|O_RDONLY. > > * BUG 12615: manpages/vfs_fruit: Document global options. > > * BUG 12624: lib/pthreadpool:...