winbindd_idmap.tdb recovery

Esh, Andrew AEsh at tricord.com
Fri Feb 8 14:45:06 GMT 2002 

So the question becomes: Is 268,435,456 (2^28) users per domain enough? Too
much? Can the domain portion of the SID be deterministically hashed to six
bits in a way that minimizes collisions?

-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
Sent: Friday, February 08, 2002 4:26 PM
To: 'Jean Francois Micouleau'; MCCALL,DON (HP-USA,ex1)
Cc: STEFFENS,MICHAEL (HP-Germany,ex1); 'Tim Potter';
'samba-technical at samba.org'
Subject: RE: winbindd_idmap.tdb recovery




-----Original Message-----
From: Jean Francois Micouleau [mailto:Jean-Francois.Micouleau at dalalu.fr]
Sent: Friday, February 08, 2002 5:08 PM
To: MCCALL,DON (HP-USA,ex1)
Cc: STEFFENS,MICHAEL (HP-Germany,ex1); 'Tim Potter';
'samba-technical at samba.org'
Subject: RE: winbindd_idmap.tdb recovery




On Fri, 8 Feb 2002, MCCALL,DON (HP-USA,ex1) wrote:

> Continuing this discussion with myself  (I think better when I talk, even
> though it exposes my ignorance),
>
> At least on HP-UX, uid_t is a 32bit unsigned integer, capable of handling
> the entire rid space from win2k...
> Why map at ALL? just USE the rid comming back from the Win2k server, and
> only map if there is a conflict with a local uid?  Or are most other UN*X
> implementations more limited to their uid space?

you can't as soon as you add trust relationships to the equation.

tridge's idea was to reserve 6 or 7 bits for the domain and the 32-(6 or
7) bits left for the rid.

	J.F.
Hi J.F:
That makes a lot of sense.  You could map a LOT of trusted domains into 6-7
bits...
Realistically, how many trusted domains would you find in even a large
enterprise
environment  (of course, 3 years ago I had a 1gig disk that I thought I'd
never fill up,
either...).
And, of course, this still begs the question if M$ decides suddenly that it
wants to 
force assign a particular service type user rid up near the 1billion mark...
Stranger
things have been done.

The only other 'automatic' way I see around this is to go ahead and assign
on a 1st come 
1st serve basis, but require all the samba member servers in a particular
domain to know 
about each other, and implement some sort of winbindd_idmap multiple master
scheme, where
if you didn't find a local map for the sid comming in, before you did the
mapping, you 
checked with your 'samba ring' to see if the sid had been mapped anywhere
else, and use
the same mapping.  And with all the syncronization problems, etc. this could
be a nightmare
to bulletproof.

Thanks for continuing the conversation!
Don
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the samba-technical mailing list