Samba4 idmap using uidNumber/gidNumber

Andrew Bartlett abartlet at
Sun Jun 10 06:21:20 MDT 2012

On Sun, 2012-06-10 at 09:39 +0200, Gémes Géza wrote:
> On 2012-06-10 08:02, Andrew Bartlett wrote:
> > Steve,
> >
> > Attached is a patch that I know you and a number of our users will be
> > interested in.  This patch makes Samba4 honour the uidNumber/gidNumber
> > attributes in the directory, when present. 
> >
> > This is done in a simple manner - we simply search the directory first.
> > No attempt at resolving conflicts with the idmap.ldb is done, the
> > directory simply wins. 
> >
> > I haven't had a chance to test this yet (just got it to compile), but if
> > you wish to test/comment in a non-production environment, it will assist
> > us in bringing this important functionality to the Samba 4.0 release.
> >
> > Beyond this, the next step will be to make the 'samba-tool domain
> > samba3upgrade' tool populate these mappings, rather than idmap.ldb.
> >
> > Michael,
> >
> > If you have any thoughts or comments on how this is done, please let me
> > know.  I would have liked to call into idmap_ad directly, but it is tied
> > too much into the s3 winbind to use directly, so I've instead just tried
> > to make it compatible.  The additional behaviour that I can see is that
> > there is no idmap range specified (all uidNumber values in the directory
> > are accepted) and we fall back to an ldb mapping on failure to find an
> > AD mapping.
> >
> > Thanks,
> >
> > Andrew Bartlett
> Hi,
> That's really fantastic news (I can't wait to finish building it). Just
> two questions:
> 1. How would s3fs behave encountering a group which would need to have
> an uid (for owning some files)?

It can't do that.  But for the use case (upgrades from samba3 domains)
we can't do that anyway (we mapped to ID_TYPE_UID and ID_TYPE_GID). 

I am interested in ideas about how we should mark a record with matching
uid/gid.  It is attractive to use the gidNumber (the user's primary
group), if we had some indication that this was set as a user-private

Ideally this needs to be done in a way that s3's winbindd can also
detect and use in idmap_ad. 

> 2. Are there plans to implement shell and homedir lookups too (for nss)?

Not at this time.  Full 'like samba3' implementation will probably need
to wait for us to switch to the s3 winbindd, but patches are welcome. 

One difficultly is that in the current architecture, the s4 winbindd
actually uses only DCE/RPC to talk to the user database!

In idmap, I cheat and just open the local sam.ldb.  

My current patches (the patches I posted were duds) are with some others

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list