Samba4 idmap using uidNumber/gidNumber

Gémes Géza geza at
Sun Jun 10 15:33:57 MDT 2012

On 2012-06-10 14:21, Andrew Bartlett wrote:
> On Sun, 2012-06-10 at 09:39 +0200, Gémes Géza wrote:
>> On 2012-06-10 08:02, Andrew Bartlett wrote:
>>> Steve,
>>> Attached is a patch that I know you and a number of our users will be
>>> interested in.  This patch makes Samba4 honour the uidNumber/gidNumber
>>> attributes in the directory, when present. 
>>> This is done in a simple manner - we simply search the directory first.
>>> No attempt at resolving conflicts with the idmap.ldb is done, the
>>> directory simply wins. 
>>> I haven't had a chance to test this yet (just got it to compile), but if
>>> you wish to test/comment in a non-production environment, it will assist
>>> us in bringing this important functionality to the Samba 4.0 release.
>>> Beyond this, the next step will be to make the 'samba-tool domain
>>> samba3upgrade' tool populate these mappings, rather than idmap.ldb.
>>> Michael,
>>> If you have any thoughts or comments on how this is done, please let me
>>> know.  I would have liked to call into idmap_ad directly, but it is tied
>>> too much into the s3 winbind to use directly, so I've instead just tried
>>> to make it compatible.  The additional behaviour that I can see is that
>>> there is no idmap range specified (all uidNumber values in the directory
>>> are accepted) and we fall back to an ldb mapping on failure to find an
>>> AD mapping.
>>> Thanks,
>>> Andrew Bartlett
>> Hi,
>> That's really fantastic news (I can't wait to finish building it). Just
>> two questions:
>> 1. How would s3fs behave encountering a group which would need to have
>> an uid (for owning some files)?
> It can't do that.  But for the use case (upgrades from samba3 domains)
> we can't do that anyway (we mapped to ID_TYPE_UID and ID_TYPE_GID). 
> I am interested in ideas about how we should mark a record with matching
> uid/gid.  It is attractive to use the gidNumber (the user's primary
> group), if we had some indication that this was set as a user-private
> group. 
> Ideally this needs to be done in a way that s3's winbindd can also
> detect and use in idmap_ad. 
>> 2. Are there plans to implement shell and homedir lookups too (for nss)?
> Not at this time.  Full 'like samba3' implementation will probably need
> to wait for us to switch to the s3 winbindd, but patches are welcome. 
> One difficultly is that in the current architecture, the s4 winbindd
> actually uses only DCE/RPC to talk to the user database!
> In idmap, I cheat and just open the local sam.ldb.  
> My current patches (the patches I posted were duds) are with some others
> at:
> Andrew Bartlett
Regarding groups which need to have also an uid, IMHO the best solution
would be to have the idmap.ldb in the directory for example as a new
partition, then for each SID->uid or uid->SID map which won't get a
result from the main partition, searching the idmap.ldb would give an
uniform answer across the domain.



More information about the samba-technical mailing list