[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Alexander Bokovoy ab at samba.org
Thu Jun 25 12:35:28 MDT 2015

On Thu, Jun 25, 2015 at 07:33:07PM +0200, Ralph Böhme wrote:
> On Thu, Jun 25, 2015 at 10:23:07AM -0700, Jeremy Allison wrote:
> > On Thu, Jun 25, 2015 at 11:48:36AM +0300, Alexander Bokovoy wrote:
> > > > >        similar to idmap_rid based on the slice.
> > > > 
> > > > fwiw:
> > > > => idmap_autorid
> > > Yes, this is one option from which sssd-ad derived its inspiration.
> > > There is a difference, though, as autorid tends to produce
> > > non-deterministic ordering of the domain-to-range mappings.
> > 
> > Hmmm. Is there a way that can be fixed, ... 
> probably not, as idmap_autorid does it differently and stores the
> non-deterministic domain-to-range mappings in autorid.tdb.
> > ... or would it only be available for idmap_autorid2 ?
> Guess so.
Yep. I guess we could go with idmap_autorid2 with an algorithm like
sssd-ad does and be good with it. ;)

Either way, there are more issues here to solve. One practical solution
is to make sure that for Samba AD deployments we could recommend
to go with idmap_ad for client machines and a variant of
idmap_autorid{,2} on Samba AD DCs which do what source4/winbindd/idmap
does right now -- allocating the IDs and storing them in
uidNumber/gidNumber fields in the LDAP entries. This way when user is
created, we could force uidNumber/gidNumber allocation on DCs and just
use allocated values on the clients. SSSD complements this scheme by
allowing the clients to request ID allocation from a central place if
there are no IDs yet, giving us centralized DCs to control actual
allocation rather than spreading out the problem space among clients and
/ Alexander Bokovoy

More information about the samba-technical mailing list