Samba4 idmap using uidNumber/gidNumber

Andrew Bartlett abartlet at
Sun Jun 10 19:05:01 MDT 2012

On Sun, 2012-06-10 at 16:59 -0700, Matthieu Patou wrote:
> Hello Gemes,
> > Regarding groups which need to have also an uid, IMHO the best solution
> > would be to have the idmap.ldb in the directory for example as a new
> > partition, then for each SID->uid or uid->SID map which won't get a
> > result from the main partition, searching the idmap.ldb would give an
> > uniform answer across the domain.
> It's a seducing idea but it has a couple of implications and corner cases:
> * conflict can still happen: 2 DC allocating the a different uid for a 
> given group because they were requested to do so before replication has 
> occurred

Indeed, and this is why I have no allocation attached to the main
directory, just as AD does. 

> * search to a full blown ldb is much much much more slower than a search 
> to a standalone ldb, even if you might not notice it on a small 
> provision it will be much more noticeable on bigger provision and there 
> will be case when you don't want to have to pay this price.

These will be indexed searches on indexes with either forced or normally
unique values, so I'm not expecting a major impact from this.

This does however raise the question of doing the idmap in the
non-upgrade case better.  It is interesting to note that there is a
trustPosixOffset parameter for each trusted domain.  This is handled
uniquely - it is only actually set on the PDC emulator (after
replication to that server). 

The behaviour would then be like idmap_rid, but with the RID offset
being in the directory.

We need to determine the full implications (and support filling in the
posixOffset when we are a DC in a multi-domain forest), but it is an
enticing possibility.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list