Samba4 idmap using uidNumber/gidNumber

Matthieu Patou mat at
Sun Jun 10 22:13:30 MDT 2012

On 06/10/2012 06:05 PM, Andrew Bartlett wrote:
> On Sun, 2012-06-10 at 16:59 -0700, Matthieu Patou wrote:
>> Hello Gemes,
>>> Regarding groups which need to have also an uid, IMHO the best solution
>>> would be to have the idmap.ldb in the directory for example as a new
>>> partition, then for each SID->uid or uid->SID map which won't get a
>>> result from the main partition, searching the idmap.ldb would give an
>>> uniform answer across the domain.
>> It's a seducing idea but it has a couple of implications and corner cases:
>> * conflict can still happen: 2 DC allocating the a different uid for a
>> given group because they were requested to do so before replication has
>> occurred
> Indeed, and this is why I have no allocation attached to the main
> directory, just as AD does.
>> * search to a full blown ldb is much much much more slower than a search
>> to a standalone ldb, even if you might not notice it on a small
>> provision it will be much more noticeable on bigger provision and there
>> will be case when you don't want to have to pay this price.
> These will be indexed searches on indexes with either forced or normally
> unique values, so I'm not expecting a major impact from this.
Well even indexed search are costly with the current ldb design they are 
much more cheaper than the non indexed version but still.
> This does however raise the question of doing the idmap in the
> non-upgrade case better.  It is interesting to note that there is a
> trustPosixOffset parameter for each trusted domain.  This is handled
> uniquely - it is only actually set on the PDC emulator (after
> replication to that server).
> The behaviour would then be like idmap_rid, but with the RID offset
> being in the directory.
That's a very good news, I was thinking of a simple patch to have a kind 
of idmap_rid in samba 4.0 for those with more than 1 DC or those with a 
mix of samba domain member (where uid/gid are managed by the standalone 
winbindd) and samba AD domain controler and who wants to have the same 
UID across all the servers.

Matthieu Patou
Samba Team

More information about the samba-technical mailing list