Samba4 idmap using uidNumber/gidNumber

Stefan (metze) Metzmacher metze at
Tue Jun 19 09:25:11 MDT 2012

Hi Andrew,

>>>>> If you have any thoughts or comments on how this is done, please let me
>>>>> know.  I would have liked to call into idmap_ad directly, but it is tied
>>>>> too much into the s3 winbind to use directly, so I've instead just tried
>>>>> to make it compatible.  The additional behaviour that I can see is that
>>>>> there is no idmap range specified (all uidNumber values in the directory
>>>>> are accepted) and we fall back to an ldb mapping on failure to find an
>>>>> AD mapping.
>>>> I think we should not mix this, there needs to be a configuration option
>>>> to trigger the new behavior. For ID_MAP_BOTH we should check if the object
>>>> has uidNumber and gidNumber on the same object with the same value.
>>> Metze,
>>> I first want to apologise for merging this over your objections.  I
>>> totally missed your mail to the list!
>>> As to a configuration option, I just wonder what the value is:  if
>>> uidNumber and gidNumber values are filled in on the directory (and they
>>> can only be set by the administrator), it seems to me that the intent is
>>> clear.  We certainly couldn't make a change like this after the release,
>>> but it seems to be the behaviour folks doing upgrades have been begging
>>> us for.  (Naturally, we can just set it during the upgrade path, but
>>> then we still need to set it on replicating peers). 
>>> As to using an identical uidNumber and gidNumber as the clue - the
>>> problem is that in rfc2307 gidNumber has two different meanings.  As you
>>> know it means something similar to primaryGroupID and it means the
>>> actual group ID value of a group object.  I'm not certain we can divine
>>> that a gidNumber, even if identical, means a user private group and not
>>> the user's primary group, which is distinct and may have other members. 
>>> Certainly I would expect such a situation to be rare, but it would be
>>> helpful if we had a safe indication. 
>>> Again sorry for missing your objections.  How would you like to proceed
>>> from here?
>> The admin could add this value for usage on a member server, while doing
>> I'm sure he didn't want to magically change the mapping on a running
>> domain controller.
>> Like explicitly configuring 'idmap_ad' with a range etc. on a member server,
>> the admin should explicitly indicate that he wants to use the values on
>> the domain controller!
>> Please add an option and make it default to false.
> I agree, if we add an option, we really should make it look and work
> like the other idmap options already used on member servers, but none of
> those (including the default and per-domain idmap configurations) seem
> to express what we need here, with a fallback to local idmapping that we
> need here (and I don't think we can't skip that).
> Perhaps you can propose something that would fit your requirements? 

I don't know, maybe "idmap_ldb:use rfc2307=yes" to enable it?
I guess any name we take sounds strange...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list