Samba4 idmap using uidNumber/gidNumber
mat at samba.org
Sun Jun 10 22:13:30 MDT 2012
On 06/10/2012 06:05 PM, Andrew Bartlett wrote:
> On Sun, 2012-06-10 at 16:59 -0700, Matthieu Patou wrote:
>> Hello Gemes,
>>> Regarding groups which need to have also an uid, IMHO the best solution
>>> would be to have the idmap.ldb in the directory for example as a new
>>> partition, then for each SID->uid or uid->SID map which won't get a
>>> result from the main partition, searching the idmap.ldb would give an
>>> uniform answer across the domain.
>> It's a seducing idea but it has a couple of implications and corner cases:
>> * conflict can still happen: 2 DC allocating the a different uid for a
>> given group because they were requested to do so before replication has
> Indeed, and this is why I have no allocation attached to the main
> directory, just as AD does.
>> * search to a full blown ldb is much much much more slower than a search
>> to a standalone ldb, even if you might not notice it on a small
>> provision it will be much more noticeable on bigger provision and there
>> will be case when you don't want to have to pay this price.
> These will be indexed searches on indexes with either forced or normally
> unique values, so I'm not expecting a major impact from this.
Well even indexed search are costly with the current ldb design they are
much more cheaper than the non indexed version but still.
> This does however raise the question of doing the idmap in the
> non-upgrade case better. It is interesting to note that there is a
> trustPosixOffset parameter for each trusted domain. This is handled
> uniquely - it is only actually set on the PDC emulator (after
> replication to that server).
> The behaviour would then be like idmap_rid, but with the RID offset
> being in the directory.
That's a very good news, I was thinking of a simple patch to have a kind
of idmap_rid in samba 4.0 for those with more than 1 DC or those with a
mix of samba domain member (where uid/gid are managed by the standalone
winbindd) and samba AD domain controler and who wants to have the same
UID across all the servers.
Samba Team http://samba.org
More information about the samba-technical