Recent changes to autorid (was Re: [SCM] Samba Shared Repository - branch master updated)

Wed Apr 30 15:14:44 MDT 2014

On Wed, 2014-04-30 at 16:21 +0200, Mathias Dietz wrote:
> Simo <simo at samba.org> wrote on 30/04/2014 15:26:20:
> 
> > On Wed, 2014-04-30 at 14:38 +0200, Mathias Dietz wrote:
> > > Hi Michael, Jeremy, 
> > > 
> > > I'm concerned about the proposal of having fixed ids for
> well-knowns 
> > > because it has a high potential to break existing customer
> setups. 
> > > Even though having fixed ids for well-knows sounds appealing, you
> can not 
> > > guarantee that they do not conflict with existing users on the
> system.
> > 
> > I think the proposal form Jeremy is more nuanced.
> > 
> > As far as I understood it the idea is to propose *default* wellknown
> > mappings for wellknown SIDs.
> > However should those conflict with pre-existing setups then samba
> would
> > stop and tell the admin how to manually map all those sids in idmap.
> > 
> > The idea is not to hardcode the mappings, but to preset them in an
> idmap
> > table. 
> 
> What does "manually map" mean ? it should be possible to choose
> another well-known range if the default range has a conflict and not
> map individual IDs manually (like tdb2) . 
> 
> > 
> > > We use Samba with autorid for many customer installations and it
> happens 
> > > often that there are existing NFS ids which can not be changed
> easliy.
> > > A full file system traversal would be needed to replace
> conflicting ids in 
> > > the acls. Even worse, if conflicting NFSv3 users exists you would
> have to 
> > > change all the clients as well. In combination with SFU or NIS
> the 
> > > externally store ids would need to be changed as well.
> > > 
> > > This will scare some customers and lead to upgrade problems.
> > > Michaels initials proposal sounds more flexible and would not lead
> to such 
> > > problems. 
> > 
> > See the above, remapping of those IDs will always be possible, it is
> > just that it should be an exception and not the rule.
> > 
> > Simo.
> > 
> 
> The goal of the initial patch was to make sure that the well-known id
> assignment is 100% determinitic as long as you make sure that the
> autorid config is the same. Just by replicating the autorid config
> between multiple systems we can guarantee that the ids are the same. 
> Any remapping of IDs would need to be deterministic as well, e.g. by
> storing the well-known ID range in the autorid config. 

It could be as simple as having a "welknown sid range base" parameter in
the code, but I am not fussy about how this is implemented, it is
something that should be valid for all idmap mechanism and not tied to
autorid.

Simo.