Samba 4 and winbind

Rowland Penny repenny at f2s.com
Mon Apr 15 13:14:10 MDT 2013


On 15/04/13 19:39, Alexander Bokovoy wrote:
>
>
>
> On Mon, Apr 15, 2013 at 9:11 PM, Rowland Penny <repenny at f2s.com 
> <mailto:repenny at f2s.com>> wrote:
>
>     On 15/04/13 18:55, Alexander Bokovoy wrote:
>>
>>
>>
>>     On Mon, Apr 15, 2013 at 8:47 PM, Rowland Penny <repenny at f2s.com
>>     <mailto:repenny at f2s.com>> wrote:
>>
>>         On 15/04/13 18:23, Alexander Bokovoy wrote:
>>>
>>>
>>>
>>>         On Mon, Apr 15, 2013 at 7:12 PM, Rowland Penny
>>>         <repenny at f2s.com <mailto:repenny at f2s.com>> wrote:
>>>
>>>             On 15/04/13 16:47, Jeremy Allison wrote:
>>>
>>>                 On Mon, Apr 15, 2013 at 04:42:50PM +0100, Rowland
>>>                 Penny wrote:
>>>
>>>                     Again, this I understand, but if Winbind was a
>>>                     stand alone daemon,
>>>                     like it is with S3, then you could choose to use
>>>                     it or not. I
>>>                     actually think that if there was a choice then
>>>                     most people would
>>>                     choose not to use winbind due to its complexity
>>>                      and inconsistency.
>>>
>>>                 Oh, bitching on winbindd again. Very popular on this
>>>                 list it
>>>                 seems :-).
>>>
>>>                 If you have specific problems, please log bugs.
>>>                 Don't just
>>>                 try and make some specific code into the boogyman, we've
>>>                 had enough of proprietarty vendors doing that
>>>                 against the
>>>                 whole of Samba thanks very much, we don't need our
>>>                 own users
>>>                 to join in.
>>>
>>>                 Jeremy.
>>>
>>>
>>>             OK, do you really want me to log a bug that basically
>>>             says that because S3 & S4 winbinds are different and the
>>>             fact that you cannot get the same uidNumber on the
>>>             server as on the clients that winbind is broken!!
>>>
>>>         Yes, I do want you to log this bug. There is no reason why
>>>         winbind implementation in Samba AD DC should use
>>>         unpredictable and dependent on the order of allocations high
>>>         watermark algorithm.
>>
>>         Could you please write this again in English, specifically
>>         the last part.
>>
>>     Please file a bug about ID mapping in Samba AD DC winbind being
>>     different from ID mapping in previous Samba versions.
>
>     OK, I will file a bug, but could you please advise me what 'the
>     order of allocations high watermark algorithm' means in English, I
>     do understand it at all.
>
>
> If RFC2307 support is enabled, Samba AD DC will first look at 
> uidNumber attribute and return that. This gives you "easy" way to get 
> the same uidNumber values as in previous install -- when migrating 
> users remember all UID/GIDs and assign them manually using ldb tools, 
> for example.
>
> However, if no uidNumber attribute is available in the entry, in order 
> to allocate UID/GID for a SID, Samba AD DC winbind uses an algorithm 
> that remembers the last highest allocated UID/GID and increments it 
> each time new request for allocating UID or GID comes. This value is 
> global, its increase is independent of an order in which requests come.
>
> It has some configurable starting value A and if ID is asked for two 
> SIDs, SID S-X-Y-Z-1024 first and for S-X-Y-Z-512 afterwards, the 
> watermark would be A+2. If requests would come in different order, 
> say, S-X-Y-Z-512 and then S-X-Y-Z-1024, the watermark will be still 
> A+2 but IDs allocated for those two SIDs will be different from the 
> first case.
>
> -- 
> / Alexander Bokovoy
>
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean. 
Thank you for explaining that, this seems to be very different from the 
way that S3 winbind works. Also have you seen how sssd are doing the 
mapping, no rfc2307 involved, they take the SID, hash the domain sid to 
get a constant number and add the rid to the end of that i.e. from your 
examples, hash S-X-Y-Z to get a number like 120140 to which is added 
1024, you end up with 1201401024, provided you use the same sssd.conf 
file on the server & client you get the same uidNumber, but you cannot 
use sssd in this mode on the server because of the built in winbind, 
cifs tries to use the uidnumber that S4 comes up with.

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the samba-technical mailing list