[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Andrew Bartlett abartlet at samba.org
Sun Jun 21 00:53:26 MDT 2015

On Sat, 2015-06-20 at 15:36 +0100, Rowland Penny wrote:
> Hi, The basis behind this patch is to make creating a NIS user or group 
> with samba-tool work more like ADUC
> With ADUC, you create the user or group and then add NIS attributes via 
> the Unix Attributes tab.
> The user or group objects ID number is obtained from msSFU30MaxUidNumber 
> or msSFU30MaxGidNumber, or the start number '10000' is used.

I'm sorry, but I don't agree with the assignment of non-deterministic
values to these attributes unless it is done on a FSMO role owner, as
otherwise we could see conflicts when create operations are performed on
a split-brain network, or simply due to replication delay. 

The reason these 'simple' approaches haven't been taken is that in a
multi-master replication environment, simple things are exceedingly

The issue is that every option has drawbacks:
 - using trustPosixOffset doesn't cope with inter-forest trusts
 - using idmap_rid has the issue of selecting which domain is 'first'
 - using idmap_autorid has the issue of possible conflicts in the SID
portion mappings
 - using the sssd algorithm has similar risks (should be observable with
about 10 trusts on average, if I did the maths right)

It is really hard (impossible) to compress a 128 bit (or larger) number
(the SID) into a 32 bit number without compromises or collisions. 

Sadly the paralysis of choice has also had a part to play - there are so
many different choices, all with drawbacks, that we have left our users
with the least useful option, but the only 'safe' one, being a local
counter on each DC. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list