How to do AD ID allocation right, once

Andrew Bartlett abartlet at samba.org
Wed Jul 1 23:14:35 CEST 2015 

On Thu, 2015-06-25 at 21:35 +0300, Alexander Bokovoy wrote:
> On Thu, Jun 25, 2015 at 07:33:07PM +0200, Ralph Böhme wrote:
> > On Thu, Jun 25, 2015 at 10:23:07AM -0700, Jeremy Allison wrote:
> > > On Thu, Jun 25, 2015 at 11:48:36AM +0300, Alexander Bokovoy wrote:
> > > > > >        similar to idmap_rid based on the slice.
> > > > > 
> > > > > fwiw:
> > > > > => idmap_autorid
> > > > Yes, this is one option from which sssd-ad derived its inspiration.
> > > > There is a difference, though, as autorid tends to produce
> > > > non-deterministic ordering of the domain-to-range mappings.
> > > 
> > > Hmmm. Is there a way that can be fixed, ... 
> > 
> > probably not, as idmap_autorid does it differently and stores the
> > non-deterministic domain-to-range mappings in autorid.tdb.
> > 
> > > ... or would it only be available for idmap_autorid2 ?
> > 
> > Guess so.
> Yep. I guess we could go with idmap_autorid2 with an algorithm like
> sssd-ad does and be good with it. ;)
> 
> Either way, there are more issues here to solve. One practical solution
> is to make sure that for Samba AD deployments we could recommend
> to go with idmap_ad for client machines and a variant of
> idmap_autorid{,2} on Samba AD DCs which do what source4/winbindd/idmap
> does right now -- allocating the IDs and storing them in
> uidNumber/gidNumber fields in the LDAP entries. This way when user is
> created, we could force uidNumber/gidNumber allocation on DCs and just
> use allocated values on the clients. SSSD complements this scheme by
> allowing the clients to request ID allocation from a central place if
> there are no IDs yet, giving us centralized DCs to control actual
> allocation rather than spreading out the problem space among clients and
> DCs.

Yes, I think this is the correct approach.   I need to write more down
about how to make the details work, and perhaps allow sites to select
between 'large' installs or 'many small trusted domains' (idmap_rid vs
idmap_sssd_compat) and have a way to detect if we would get a hash
collision.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list