updated newidmap

simo idra at samba.org
Tue Oct 3 18:32:08 GMT 2006

On Tue, 2006-10-03 at 20:27 +0200, Volker Lendecke wrote:
> On Tue, Oct 03, 2006 at 02:17:02PM -0400, simo wrote:
> > No my idea was to make sid2uid always allocate if possible.
> The "if possible" makes it more complicated than necessary.
> We had this for ages and this has led to the current mess we
> have.

I see no other way, as we have limited resources we need to validate
SIDs before allocating. For the caller this makes no difference.

> > The IDmap will decide if the allocation can be performed by doing a
> > lookupsid to determine the sid is actually meningful.
> No, this should not be in the modules. If only because then
> the modules would have to link in an lsa client. The modules
> should be as simple as possible.

This will definitively NOT be in the modules. It is absolutely in the
IDmap core logic.

> > The allocation is obvious as choosing the backend depends on the SID.
> > If the SID is from BUILTIN the backend for BUILTIN is asked, if the SID
> > is from DOMAIN_X the backend responsible for DOMAIN_X is used.
> > If the SID is from an unknown (in the sense that there isn't a specific
> > backend) the default backend is asked (usually this will be the tdb
> > backend).
> No, uid/gid allocation is a global thing across all the
> backends.

No you can't do that, as each backends has it's own reserved range and
you can't allocate a UID in the wrong range if you want to be able to
use idmap_ad or idmap_ldap

> > This is taken in account in this case allocation will always fail.
> I suspect the callers will be more complicated than
> necessary with that approach.

I don't think so.

> > >  And
> > > just for that purpose adding idmap_tdb would bring in too
> > > much functionality for my taste.
> > 
> > I agree, but the solution imo is that allocation will simply always fail
> > and BUILTIN users/groups will simply not be used.
> Huh?
> > How else could you do that?
> idmap backend = domain1:idmap_rid:10000-19999 domain2:idmap_ad:20000-29999
> id allocator = tdb:30000-40000:30000-40000
> passdb backend = tdbsam
> (ignore the syntax, you get the idea...)
> BUILTIN and passdb would chew from the id allocator. All
> external SIDs are statically mapped. pdb_tdb takes care of
> mapping BUILTIN and its own SAM SIDs.

I think we are saying exactly the same thing in 2 different ways.

Now if we have:


we can even have 2 different pools one reserved for builtin and one for
MYDOM, all you have to do is to ask allocation for the right DOMAIN.
This has the beneficial effect that you don't risk allocating an ID for
the wrong domain.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba-technical mailing list