Samba4 idmap using uidNumber/gidNumber

Andrew Bartlett abartlet at
Sat Jun 16 02:34:29 MDT 2012

On Sun, 2012-06-10 at 23:30 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> > Attached is a patch that I know you and a number of our users will be
> > interested in.  This patch makes Samba4 honour the uidNumber/gidNumber
> > attributes in the directory, when present. 
> > 
> > This is done in a simple manner - we simply search the directory first.
> > No attempt at resolving conflicts with the idmap.ldb is done, the
> > directory simply wins. 
> > 
> > I haven't had a chance to test this yet (just got it to compile), but if
> > you wish to test/comment in a non-production environment, it will assist
> > us in bringing this important functionality to the Samba 4.0 release.
> > 
> > Beyond this, the next step will be to make the 'samba-tool domain
> > samba3upgrade' tool populate these mappings, rather than idmap.ldb.
> > 
> > Michael,
> > 
> > If you have any thoughts or comments on how this is done, please let me
> > know.  I would have liked to call into idmap_ad directly, but it is tied
> > too much into the s3 winbind to use directly, so I've instead just tried
> > to make it compatible.  The additional behaviour that I can see is that
> > there is no idmap range specified (all uidNumber values in the directory
> > are accepted) and we fall back to an ldb mapping on failure to find an
> > AD mapping.
> I think we should not mix this, there needs to be a configuration option
> to trigger the new behavior. For ID_MAP_BOTH we should check if the object
> has uidNumber and gidNumber on the same object with the same value.


I first want to apologise for merging this over your objections.  I
totally missed your mail to the list!

As to a configuration option, I just wonder what the value is:  if
uidNumber and gidNumber values are filled in on the directory (and they
can only be set by the administrator), it seems to me that the intent is
clear.  We certainly couldn't make a change like this after the release,
but it seems to be the behaviour folks doing upgrades have been begging
us for.  (Naturally, we can just set it during the upgrade path, but
then we still need to set it on replicating peers). 

As to using an identical uidNumber and gidNumber as the clue - the
problem is that in rfc2307 gidNumber has two different meanings.  As you
know it means something similar to primaryGroupID and it means the
actual group ID value of a group object.  I'm not certain we can divine
that a gidNumber, even if identical, means a user private group and not
the user's primary group, which is distinct and may have other members. 

Certainly I would expect such a situation to be rare, but it would be
helpful if we had a safe indication. 

Again sorry for missing your objections.  How would you like to proceed
from here?


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list