autorid, idmapping and trustPosixOffset

Andrew Bartlett abartlet at samba.org
Wed May 7 23:00:36 MDT 2014


On Thu, 2014-05-01 at 18:18 -0700, Jeremy Allison wrote:
> On Fri, May 02, 2014 at 03:13:46AM +0200, Michael Adam wrote:
> > Yo,
> > 
> > On 2014-04-30 at 09:26 -0400, Simo wrote:
> > > On Wed, 2014-04-30 at 14:38 +0200, Mathias Dietz wrote:
> > > > 
> > > > I'm concerned about the proposal of having fixed ids for well-knowns 
> > > > because it has a high potential to break existing customer setups. 
> > > > Even though having fixed ids for well-knows sounds appealing, you can not 
> > > > guarantee that they do not conflict with existing users on the system.
> > > 
> > > I think the proposal form Jeremy is more nuanced.
> > > ...
> > > The idea is not to hardcode the mappings,
> > 
> > Yes that is precisely what Jeremy proposed.
> > 
> > > but to preset them in an idmap table.
> > 
> > No, I think you misunderstood Jeremy. If I got him
> > right, Jeremy proposed to have a fixed, hardcoded
> > internal mapping table for the wellknowns which is
> > not subject to idmap config, and rather prevent samba
> > from starting if an idmap config overlaps and have the
> > admin remap her id mappings than offer to change the
> > wellknown mappings..
> 
> Yep. That's pretty much what I proposed :-).
> 
> I think idmapping has gotten too horribly
> complex over the years, and we need to
> get it back to as basic a setup as possible.

One simpler, and perhaps more practical to explain scheme is that which
Microsoft uses.  Now, I do wonder if it is really ever used, but the
idea of using idmap_rid with the trustPosixOffset attribute has always
appealed to me.  It would also have the distinct advantage of being able
to fall back on the argument that 'it is what Microsoft defined', rather
than the endless flexibility we make our users understand and chose from
now, which overwhelms our users. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list