Samba4 idmap using uidNumber/gidNumber

Stefan (metze) Metzmacher metze at
Sat Jun 16 02:43:32 MDT 2012

Hi Andrew,

>>> If you have any thoughts or comments on how this is done, please let me
>>> know.  I would have liked to call into idmap_ad directly, but it is tied
>>> too much into the s3 winbind to use directly, so I've instead just tried
>>> to make it compatible.  The additional behaviour that I can see is that
>>> there is no idmap range specified (all uidNumber values in the directory
>>> are accepted) and we fall back to an ldb mapping on failure to find an
>>> AD mapping.
>> I think we should not mix this, there needs to be a configuration option
>> to trigger the new behavior. For ID_MAP_BOTH we should check if the object
>> has uidNumber and gidNumber on the same object with the same value.
> Metze,
> I first want to apologise for merging this over your objections.  I
> totally missed your mail to the list!
> As to a configuration option, I just wonder what the value is:  if
> uidNumber and gidNumber values are filled in on the directory (and they
> can only be set by the administrator), it seems to me that the intent is
> clear.  We certainly couldn't make a change like this after the release,
> but it seems to be the behaviour folks doing upgrades have been begging
> us for.  (Naturally, we can just set it during the upgrade path, but
> then we still need to set it on replicating peers). 
> As to using an identical uidNumber and gidNumber as the clue - the
> problem is that in rfc2307 gidNumber has two different meanings.  As you
> know it means something similar to primaryGroupID and it means the
> actual group ID value of a group object.  I'm not certain we can divine
> that a gidNumber, even if identical, means a user private group and not
> the user's primary group, which is distinct and may have other members. 
> Certainly I would expect such a situation to be rare, but it would be
> helpful if we had a safe indication. 
> Again sorry for missing your objections.  How would you like to proceed
> from here?

The admin could add this value for usage on a member server, while doing
I'm sure he didn't want to magically change the mapping on a running
domain controller.

Like explicitly configuring 'idmap_ad' with a range etc. on a member server,
the admin should explicitly indicate that he wants to use the values on
the domain controller!

Please add an option and make it default to false.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list