Recent changes to autorid (was Re: [SCM] Samba Shared Repository - branch master updated)

Tue Apr 29 02:54:29 MDT 2014

Jeremy,

On 2014-04-28 at 09:42 -0700, Jeremy Allison wrote:
> On Mon, Apr 28, 2014 at 06:10:51PM +0200, Michael Adam wrote:
> > 
> > autorid currently only has ranges of a fixed size
> > ("idmap config * : rangesize = ...").
> > And, by "people", do you mean the developers?
> > We don't have a configuration means to create a range
> > for the wellknown sids, currently.
> 
> As these SIDs are wellknown, and aren't going to
> change (only expand as Microsoft adds more), can't
> we just cut out a fixed area of say 500 id's and
> have hardcoded mappings for these ?
> 
Do I get it right that you don't mean to carve out
a range for the well knowns in the autorid setting,
but globally in samba/winbind, i.e. have a universal
configuration of the well-knowns that is independent
of any id mapping setup?

(If you do mean to carve out an area from the autorid
alloc range instead, this would be essentially the
initial variant of my solution.  But I replaced that
by the present more robust and upgrade-safe solution.)

I certainly see the appeal of such a solution of having
an independent and fixed range for well-knowns and a
fixed and universally deterministic mapping for all the
well-knowns. I have thought if it myself, but I think
it is not that simple. Of course it is simple to implement
the fixed mapping itself. But to treat every config and
upgrade case correclty seems to be cumbersome at least to me.

> If that range has already been used in someone's
> config, we refuse to start, and provide a mechanism
> for them to remap.

What do you intend to remap? The IDs that have been
configured previously? This is difficult, since they
have probably already made it into the file system
ownerships and acls.

Next thing to consider is what to do with those
setups where the well-knowns have been created
perviously in the id mapping range. You also need
to traverse the File system and potentially change
acls before you can run with the new code, so similar
problem here..

> A bit dramatic, but very simple.

I don't think it is very dramatic, but instead
a very desirable and natural thing. But unfortunately
I currently see too many devils in the details to
get upgrades and conflicting configs propoerly supported.

If we were to introduce the deterministic well-known
mappings, this would be very simple indeed.

More thoughts and discussion highly appreciated!
ID-mapping is a topic that is seemingly simple but
notoriously hard to get right in all its ramifications.

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140429/0b570de1/attachment.pgp>