Meaning of 'idmap backend' ?

Andrew Bartlett abartlet at
Sun Jul 6 10:53:42 GMT 2003

On Tue, 2003-07-01 at 18:46, Simo Sorce wrote:
> On Tue, 2003-07-01 at 03:30, Andrew Bartlett wrote:
> > How is this for a nasty situation:
> > 
> > Who owns the 'nobody' user.  We have decided that this belongs to the
> > local SAM's 'guest' account, as we must have a guest, and they need a
> > valid NT sid, and it really needs to end in -501.
> > 
> > However, what happens if 10 domain members, all with read-write access
> > onto a central LDAP server, try to set the mapping between uid '99' and
> > my-sid-xyz-501, for each different version of my-sid-xyz...
> > 
> > Andrew Bartlett
> Well there are 2 possible solutions:
> 1. keep the possibility to have slightly different mappings under a
> certain uid on the system, so that each system will have the Guest
> mapped only locally.
> 2. Each system need a different nobody.
> ---
> 1. this is the easiest and most compatible way, but have also the
> problem that xx-yyy-zzz-501 SIDs from other domains have problems to be
> mapped.
> 2. This is really difficult to adopt on existing systems, not a problem
> for new networks.

I think we need both :-)

> ---
> Now I think a middle time solution is:
> Allow wellknow SIDs (and only them), like admin and guest users, and
> admin, guest and users groups, to have multimappings, so that each
> system have the same mapping for it's own wellknown users/groups.
> In this scenario you have
> uid 99 ->  special-prefix-501
> aa-aa-aa-501 -> uid 99
> bb-bb-bb-501 -> uid 99
> cc-cc-cc-501 -> uid 99
> when you ask for 99 you get only the mapping relative to your domain by
> substituting special-prefix with your own domain prefix.
> This is not a very nice solution but may be a good compromise.
> Now I'll wait screams that debunk this crappy idea :-)

I've been thinking about this a lot - and in particular how we can deal
with the 'algorithmic mappings' of various domains.  

What I'm thinking (for LDAP) is this:

 - All Unix servers to be covered by the LDAP idmap server must either
 - Search for the 'sambaDomain' object in LDAP.  If it is present, then
we know that domain is being managed with LDAP.  This should then give
that domain a 'right' to assert an algorithmic mapping, based on it's
algorithmic rid base.  Likewise, it indicates that it may map uids/gids
outside the 'idmap uid' range.  If that domain object is not present,
and it is our local domain, then we ignore entries for our domain in
ldap, and keep them locally. 

But really, for an multidomain situtation, we need 'pure idmap', no
algorithms and a perfectly available IDMAP server...

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list