read/write idmapping in s4 rfc 2307 mode

Andrew Bartlett abartlet at samba.org
Thu Jul 12 16:52:22 MDT 2012 

On Thu, 2012-07-12 at 15:36 +0200, Gémes Géza wrote:
> 2012-07-12 15:22 keltezéssel, Andrew Bartlett írta:
> > On Thu, 2012-07-12 at 15:14 +0200, Michael Adam wrote:
> >> Andrew Bartlett wrote:
> >>> Gémes,
> >>>
> >>> Indeed, this is exactly the purpose for which this was implemented.  I'm
> >>> glad you find it useful!
> >> If I read the code correctly, the s4-idmap code only reads the
> >> rfc 2307 attributest but does not write to them. New mappings are
> >> created in the idmap.ldb always.
> >>
> >> This is confusing.
> > It is, but we operate under some limitations and this was as much as I
> > felt I could safely enable.
> >
> >> Shouldn't we add a mode where new mappings are also created in
> >> the sam's posix attributes if the "use rfc" is on?
> > The issue is distributed/atomic uid allocation across the domain.  At
> > the moment, the RID is the only thing that gains these properties.  This
> > could be combined with trustPosixOffset once we both implement that (the
> > PDC emulator needs to recognise an incoming trust without one of these,
> > and add the offset attribute)
> >
> > I'm also discussing with Gémes about the
> > msSFU30MaxUidNumber/msSFU30MaxGidNumber attributes in the 'Re: Samba4
> > patch for manipulating Unix attributes via ADUC' thread.  These
> > attributes are enticing, but without atomic allocation, there is an
> > inherit race condition.
> >
> > Finally, if we allocate these for users that are not subject to upgrade,
> > we have the issue that we cannot issue IDMAP_BOTH mappings via the
> > standard schema, and so groups created with these id mappings cannot own
> > files.
> >
> > As always with idmap, there are many problems, and only a few, partial
> > solutions.
> >
> > Thanks,
> >
> > Andrew Bartlett
> A quick and dirty solution to the problem would be to use the RID as the 
> uidnumber/gidnumber on allocation, that way it is going to be unique 
> across the domain (in the forest it is another story), plus each group 
> could get an uidnumber (via idmap) as well.

This is essentially the trustPosixOffset and idmap_rid approach.
Implementing these as optional behaviours would be valuable.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list