Proposal/Idea: Remove support for using rfc2307 attributes for s4 id-mapping?

Andrew Bartlett abartlet at
Mon Oct 15 17:02:08 MDT 2012

On Mon, 2012-10-15 at 10:25 -0400, simo wrote:
> On Mon, 2012-10-15 at 15:17 +0200, Michael Adam wrote:
> > Hi folks,
> > 
> > we have encountered several difficulties with the use
> > of rfc2307/sfu posix attributes in our (s4) ldap for
> > id-mapping (s4-winbind id-mapping).
> > 
> > I was thinking if it would not be better (meaning
> > simpler, less error-prone) to remove support for using
> > these SFU-style posix-attributes for our internal id-mapping.
> > 
> > If I understand the code correctly, the current idmapping
> > code checks whether the sfu posix attributes for a user
> > are present and uses them in that case, else falls back to
> > the idmap.ldb mechanism. So from the perspective of the
> > id mapping code this is read only. This alone seems to be
> > calling out for trouble. If at a later time, sfu attributes
> > are added to a user, he would change from his idmap.ldb
> > identity to the sfu identity, unix-wise.
> > 
> > Also, there is no "sfu posix id pool master" fsmo role or
> > similar, so it would be difficult to correctly handle
> > these attributes in a multi-dc setup if we wanted to
> > add them via some tools (like samba-tool user add ...).
> > 
> > Hence, I would suggest that we _remove_ the use of the sfu posix
> > attributes from our internal id mapping on the DC again.
> > This would re-establish the original very simple id-mapping
> > scheme, which has its charm.
> > 
> > To be clear: I do not suggest to remove the sfu schema extension.
> > We should of course keep it. And an admin can fill it, e.g. via
> > the "Active Directory Users and Computers" dialog, but this
> > should not be used on the DC itself but rather on external
> > servers (like a samba member).
> > 
> > Am I missing something important here?
> Sorry Michael, I think this would be a very bad mistake.
> I actually would think we should use *only* rfc2307 attributes, as those
> are the authoritative ones when an admin wants to use them.

Allocation is the difficult challenge here, but I certainly understand
the attraction.  What we have at the moment isn't great, but at least it
seems to mostly work - for sites that don't care about rfc2307 they
don't need to use it, and it just works.

For sites that do, we make it easy to set (fill in the magic in the
directory for NIS) and allow opt-in.  These sites are often very
particular about specific IDs (allocated elsewhere) and we want to
follow those were at all possible.

> What are the exact difficulties here ?
> Andrew pointed out some issues with IDAMP_BOTH as the SDC, but I think
> we can find a method to handle idmap_both, without too much pain.

I think we can.  I was tired and grumpy when I tried to speak with you
about it, but I'm sure we can sort something out.  I would prefer a
per-user attribute if at all practical, but let's not confuse this
thread with that discussion.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list