Samba4 idmap using uidNumber/gidNumber
Stefan (metze) Metzmacher
metze at samba.org
Tue Jun 19 09:25:11 MDT 2012
Hi Andrew,
>>>>> If you have any thoughts or comments on how this is done, please let me
>>>>> know. I would have liked to call into idmap_ad directly, but it is tied
>>>>> too much into the s3 winbind to use directly, so I've instead just tried
>>>>> to make it compatible. The additional behaviour that I can see is that
>>>>> there is no idmap range specified (all uidNumber values in the directory
>>>>> are accepted) and we fall back to an ldb mapping on failure to find an
>>>>> AD mapping.
>>>>
>>>> I think we should not mix this, there needs to be a configuration option
>>>> to trigger the new behavior. For ID_MAP_BOTH we should check if the object
>>>> has uidNumber and gidNumber on the same object with the same value.
>>>
>>> Metze,
>>>
>>> I first want to apologise for merging this over your objections. I
>>> totally missed your mail to the list!
>>>
>>> As to a configuration option, I just wonder what the value is: if
>>> uidNumber and gidNumber values are filled in on the directory (and they
>>> can only be set by the administrator), it seems to me that the intent is
>>> clear. We certainly couldn't make a change like this after the release,
>>> but it seems to be the behaviour folks doing upgrades have been begging
>>> us for. (Naturally, we can just set it during the upgrade path, but
>>> then we still need to set it on replicating peers).
>>>
>>> As to using an identical uidNumber and gidNumber as the clue - the
>>> problem is that in rfc2307 gidNumber has two different meanings. As you
>>> know it means something similar to primaryGroupID and it means the
>>> actual group ID value of a group object. I'm not certain we can divine
>>> that a gidNumber, even if identical, means a user private group and not
>>> the user's primary group, which is distinct and may have other members.
>>>
>>> Certainly I would expect such a situation to be rare, but it would be
>>> helpful if we had a safe indication.
>>>
>>> Again sorry for missing your objections. How would you like to proceed
>>> from here?
>>
>> The admin could add this value for usage on a member server, while doing
>> I'm sure he didn't want to magically change the mapping on a running
>> domain controller.
>>
>> Like explicitly configuring 'idmap_ad' with a range etc. on a member server,
>> the admin should explicitly indicate that he wants to use the values on
>> the domain controller!
>>
>> Please add an option and make it default to false.
>
> I agree, if we add an option, we really should make it look and work
> like the other idmap options already used on member servers, but none of
> those (including the default and per-domain idmap configurations) seem
> to express what we need here, with a fallback to local idmapping that we
> need here (and I don't think we can't skip that).
>
> Perhaps you can propose something that would fit your requirements?
I don't know, maybe "idmap_ldb:use rfc2307=yes" to enable it?
I guess any name we take sounds strange...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120619/8dee2ff4/attachment.pgp>
More information about the samba-technical
mailing list