Meaning of 'idmap backend' ?

Andrew Bartlett abartlet at
Tue Jul 1 01:30:33 GMT 2003

On Tue, 2003-07-01 at 01:56, Simo Sorce wrote:
> On Mon, 2003-06-30 at 17:18, Volker Lendecke wrote:
> > Hi!
> > 
> > In trying to understand the IDMAP, the concept of a remote IDMAP
> > somewhat puzzles me, at least as far as it is coded and commented:
> > 
> > Who is authoritative for mappings? Is it the local (or cache or
> > whatever) map? If this is the case then I don't see how the BDC
> > situation is decently handled. Simo, you had confirmed that you took
> > care of that decently.
> The idea is that if you have a remote mapping, then that is the
> authoritative one.
> The remote mapping maybe a centralized idmap (code not done yet), or a
> centralized LDAP server.
> Currently it serves also winbind but that's to keep compatibility, it's
> not the right way to go for future development.
> In future development I think we should move the "remote/authoritative"
> functionality into winbind, so that we can avoid abusing resources.
> Winbind can effectively handle a single ldap connection or any other
> mechanism and also provide more information to determine the SID mapping
> (UID or GID?) in some cases.

smbd will now always ask winbindd for the 'remote' stuff.  This means
that it breaks if smbd tries to 'set' a mapping, as we don't have that
code in the winbind idmap module.

Indeed, I think it's the fact that this is broken that might be
preventing some of the lockups I'm so worried about :-).

> > Looking at idmap_set_mapping confuses me even more. We first update the
> > local mapping and then try to update the remote one with a puzzling
> > comment:
> > 
> >         /* Being able to update the remote cache is seldomly right.
> > 	           Generally this is a forbidden operation. */
> > 
> > So who does ever update the remote mapping?
> > 
> > *confused*
> Well the idea is that you generally ask for a mapping to the
> remote/authoritative map. When you ask for a mapping the remote map will
> actually do the map for you and come back with the result.
> On a client of a centralized idmap you should set arbitrary mappings
> only on the master not on a client (that's the source of the comment).
> The idea is that you should have a control mechanism that make the
> central idmap admin decide if remote servers can add mappings, in that
> case remote servers will be able to push mappings, otherwise a
> set_mapping on client idmap server should not be able to push the
> mapping.
> Currently you are entitled to set the mapping locally even if the remote
> backend does not to be able to use the winbind_idmap hack.
> It's not the nicer thing on earth but it works just now, I know we need
> to improve that mechanism.

How is this for a nasty situation:

Who owns the 'nobody' user.  We have decided that this belongs to the
local SAM's 'guest' account, as we must have a guest, and they need a
valid NT sid, and it really needs to end in -501.

However, what happens if 10 domain members, all with read-write access
onto a central LDAP server, try to set the mapping between uid '99' and
my-sid-xyz-501, for each different version of my-sid-xyz...

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list