Samba4 idmap using uidNumber/gidNumber
abartlet at samba.org
Sat Jun 16 02:59:36 MDT 2012
On Sat, 2012-06-16 at 10:43 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >>> If you have any thoughts or comments on how this is done, please let me
> >>> know. I would have liked to call into idmap_ad directly, but it is tied
> >>> too much into the s3 winbind to use directly, so I've instead just tried
> >>> to make it compatible. The additional behaviour that I can see is that
> >>> there is no idmap range specified (all uidNumber values in the directory
> >>> are accepted) and we fall back to an ldb mapping on failure to find an
> >>> AD mapping.
> >> I think we should not mix this, there needs to be a configuration option
> >> to trigger the new behavior. For ID_MAP_BOTH we should check if the object
> >> has uidNumber and gidNumber on the same object with the same value.
> > Metze,
> > I first want to apologise for merging this over your objections. I
> > totally missed your mail to the list!
> > As to a configuration option, I just wonder what the value is: if
> > uidNumber and gidNumber values are filled in on the directory (and they
> > can only be set by the administrator), it seems to me that the intent is
> > clear. We certainly couldn't make a change like this after the release,
> > but it seems to be the behaviour folks doing upgrades have been begging
> > us for. (Naturally, we can just set it during the upgrade path, but
> > then we still need to set it on replicating peers).
> > As to using an identical uidNumber and gidNumber as the clue - the
> > problem is that in rfc2307 gidNumber has two different meanings. As you
> > know it means something similar to primaryGroupID and it means the
> > actual group ID value of a group object. I'm not certain we can divine
> > that a gidNumber, even if identical, means a user private group and not
> > the user's primary group, which is distinct and may have other members.
> > Certainly I would expect such a situation to be rare, but it would be
> > helpful if we had a safe indication.
> > Again sorry for missing your objections. How would you like to proceed
> > from here?
> The admin could add this value for usage on a member server, while doing
> I'm sure he didn't want to magically change the mapping on a running
> domain controller.
> Like explicitly configuring 'idmap_ad' with a range etc. on a member server,
> the admin should explicitly indicate that he wants to use the values on
> the domain controller!
> Please add an option and make it default to false.
I agree, if we add an option, we really should make it look and work
like the other idmap options already used on member servers, but none of
those (including the default and per-domain idmap configurations) seem
to express what we need here, with a fallback to local idmapping that we
need here (and I don't think we can't skip that).
Perhaps you can propose something that would fit your requirements?
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical