IDMAP Allocator questions

Trever L. Adams trever.adams at
Wed Jul 7 06:54:45 MDT 2010

 Hello everyone,

Yesterday I sent a message stating my intent to try and add an allocator
that would work with Samba 4 ADS. I have been digging into the code and
have hit several problems.

I have read that the allocators can't be used on a domain by domain
basis and I have read that they can. I am not sure which is accurate. (I
haven't dug into that code yet.)

Looking at idmap_adex, which is what I would like to extend, it seems
knowing the domain is important. I had decided it would be better to
rewrite the allocator from idmap_ldap, making it work in idmap_adex with
the modification that it will search for a free uid/gid instead of just
exit if we are past the high end of the range. This is slow, but think
of local schools, if you do a similar partition scheme to idmap_hash and
trust between schools, the 100K could run out rather quickly, but could
be recycled.

As I try to wrap my head around idmap_adex it seems domain sid is
important. However, in:
NTSTATUS idmap_allocate_uid( uid_t *uid);
NTSTATUS idmap_allocate_gid( gid_t *gid);

there seems to be no way to get at this information.

With DOM# where # is 1-7 with each trusting the others, I am hoping that
I can do something like the following:

idmap domains = DOM1 DOM2 ...
idmap config LocalDom:default = yes
idmap config LocalDom:backend = idmap_adex
idmap config LocalDom:range = 10000 - 50000
idmap LocalDom alloc backend = imap_adex (as described above)

idmap config ForeignDom:default = yes
idmap config ForeignDom:backend = idmap_adex
idmap config ForeignDom:range = appropriate range

# No allocator for Foreign DOM#

winbind nss info = adex
winbind normalize names = yes

P.S. I am using the git tree samba and
as a reference.
"The hands that help are better far than the lips that pray." -- Robert
G. Ingersoll

More information about the samba-technical mailing list