[PATCH] idmap-plugin for static rid->[u|g]id-mapping

Thu Mar 25 14:41:21 GMT 2004

On Thu, 2004-03-25 at 13:15, Guenther Deschner wrote:
> Hi *,
> 
> attached you'll find a first version of an idmap-plugin for winbindd that
> does a static mapping between rid and uid/gid.
> 
> There is still a lot of cleanup to do, but basically it is working here in
> my tests and before any further effort is made, I really would appreciate
> your feedback.
> 
> This patch was made for a customer that uses samba3 and winbindd in a
> HA-setup with the goal of avoiding any idmap-inconsistencies or idmap-
> dependencies and have a fast, reliable and predictable id-mapping. 
> (As long as there is no working multi-master replication for
> OpenLDAP, idmap_ldap was not an alternative for us in that particular
> project.)
> 
> idmap_rid basically takes the rid of a sid as uid or gid and adds an
> configurable offset-range. In multidomain setups each domain-range has to
> be defined. Whatever range defined must fit into the global idmap uid /
> idmap gid-range. The latter two *must* be equal for now.
> 
> Configuration:
> 
>   idmap backend = idmap_rid: DOMAINA=10000-19999, DOMAINB=20000-29999
> 
> 	DOMAINA\Administrator will have uid: 10500
> 	DOMAINB\Administrator will have uid: 20500
> 
>   idmap backend = idmap_rid
> 
> 	If no ranges are defined, idmap_rid uses idmap uid-range for the
> 	own domain and discards all other domains.
> 
> Problems:
> 
>   If winbind is queried directly via wbinfo for a partical mapping, lets
> say wbinfo -G 10500, it will return the same sid as for wbinfo -U 10500
> because we cannot make a decision if a sid is user- or group-sid. What
> consequences could this have?
> 
>   Since winbindd is not started on module-init, we have to do all queries
> for sids and domain names ourselfs. Or do we miss something here?
> 
> Any comments?

I see many problems with this approach that is even worse then the
original algorithmic mapping of samba.

Mixing users and groups is a probelm with ACL of course and may led to
other problems with auth code i think.

But moreover, starting from your example, what will you do with
RID=100500 of domain A? 10000+100500 = 110500 quite out of the original
domain space you assigned right?
And waht will you do with RID= 10500 -> UID=20500 wasn't this the
DomainB administrator UID? wow we are administrators now!

The non-algorithmic mapping has been introduced because the SID space is
much greter than the UID/GID space and there's nothing you can do about
that (except kernel modifications :).

And also remember that while mappings are assigned dinamically they are
set in stone in the proper tdb, so that replicating that tdb is enough
for an HA-cluster.

Simo.

-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399