Samba4 idmap using uidNumber/gidNumber

Andrew Bartlett abartlet at
Sat Jun 16 02:59:36 MDT 2012

On Sat, 2012-06-16 at 10:43 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >>> If you have any thoughts or comments on how this is done, please let me
> >>> know.  I would have liked to call into idmap_ad directly, but it is tied
> >>> too much into the s3 winbind to use directly, so I've instead just tried
> >>> to make it compatible.  The additional behaviour that I can see is that
> >>> there is no idmap range specified (all uidNumber values in the directory
> >>> are accepted) and we fall back to an ldb mapping on failure to find an
> >>> AD mapping.
> >>
> >> I think we should not mix this, there needs to be a configuration option
> >> to trigger the new behavior. For ID_MAP_BOTH we should check if the object
> >> has uidNumber and gidNumber on the same object with the same value.
> > 
> > Metze,
> > 
> > I first want to apologise for merging this over your objections.  I
> > totally missed your mail to the list!
> > 
> > As to a configuration option, I just wonder what the value is:  if
> > uidNumber and gidNumber values are filled in on the directory (and they
> > can only be set by the administrator), it seems to me that the intent is
> > clear.  We certainly couldn't make a change like this after the release,
> > but it seems to be the behaviour folks doing upgrades have been begging
> > us for.  (Naturally, we can just set it during the upgrade path, but
> > then we still need to set it on replicating peers). 
> > 
> > As to using an identical uidNumber and gidNumber as the clue - the
> > problem is that in rfc2307 gidNumber has two different meanings.  As you
> > know it means something similar to primaryGroupID and it means the
> > actual group ID value of a group object.  I'm not certain we can divine
> > that a gidNumber, even if identical, means a user private group and not
> > the user's primary group, which is distinct and may have other members. 
> > 
> > Certainly I would expect such a situation to be rare, but it would be
> > helpful if we had a safe indication. 
> > 
> > Again sorry for missing your objections.  How would you like to proceed
> > from here?
> The admin could add this value for usage on a member server, while doing
> I'm sure he didn't want to magically change the mapping on a running
> domain controller.
> Like explicitly configuring 'idmap_ad' with a range etc. on a member server,
> the admin should explicitly indicate that he wants to use the values on
> the domain controller!
> Please add an option and make it default to false.

I agree, if we add an option, we really should make it look and work
like the other idmap options already used on member servers, but none of
those (including the default and per-domain idmap configurations) seem
to express what we need here, with a fallback to local idmapping that we
need here (and I don't think we can't skip that).

Perhaps you can propose something that would fit your requirements? 


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list