[PATCH] Check idmap config with testparm

Andreas Schneider asn at samba.org
Thu Dec 8 08:20:04 UTC 2016 

On Thursday, 8 December 2016 08:42:37 CET Michael Adam wrote:
> On 2016-12-07 at 18:43 +0100, Andreas Schneider wrote:
> > Hello,
> > 
> > you might know I work for a Distributor and fix winbind issues there every
> > day.
> > I see so many invalid idmap configurations, I think 70% of the configs are
> > wrong or invalid.
> > 
> > In addition our documentation for ID mapping really sucks!
> 
> Hmm, I take this a little bit as a personal affront.
> Let me reply with a similar non-diplomatic statement:
> 
> 
> People should learn to read! :-)
> 
> 
> Have you read the section about "idmap config DOMAIN : OPTION" in
> "man smb.conf" and the backend specific manpages?
> 
> Among other things, smb.conf clearly states:
> 
>   "The first three of these [idmap_tdb, idmap_tdb2, idmap_ldap]
>   create mappings of their own using internal unixid counters and
>   store the mappings in a database.  These are suitable for use in
>   the default idmap configuration."

I do read those things but our customers don't. So should we abort if 
something else than these backends are used for the default domain?

Simply do not start winbind ...

> 
> As well as:
> 
>   "The configured ranges must be mutually disjoint."
> 
> Also, for further examples, reading the manpages of idmap_rid,
> I see:
> 
>   "One usually needs to define a writeable default idmap range,
>   using a backend like tdb or ldap that can create unix ids."
> 
> Looking at idmap_ad:
> 
>   "the ad backend does not work as the default idmap backend, but
>   one has to configure it separately for each domain for which
>   one wants to use it, using disjoint ranges."
> 
> 
> Enough examples. The doc is cetainly not perfect, but
> saying it sucks just proves not having read it, imho.

The issue is that often our users do not read manpages. They search the web 
and what they find there lacks good information explanations and examples.

I know how to configure ID mapping, our customers don't and clearly do not 
read the smb.conf manpage :(


This is not against you. It is also my fault that I didn't improve 
documentation earlier. But if our customers do not understand it, it sucks ;)

So lets improve it :-)


> 
> > So I had a call with Marc and he started to improve it. See the User
> > documentation in the Wiki.
> > 
> > While trying to chase down a winbindd bug the last days I read all the
> > changes last year and stumbled upon Volkers nice
> > lp_wi_scan_global_parametrics() function again. So I decided it is time
> > to check the idmap config in testparm.
> This is an excellent idea!
> (Don't rely on reading capabilities is always the safe bet... ;-)
> 
> > So here we go ...
> > 
> > 
> > <config>
> > 
> >         idmap config * : backend = rid
> >         idmap config * : range = 1000000-1999999
> >         
> >         # Winbind domain idmap
> >         idmap config EARTH : backend = rid
> >         idmap config EARTH : range = 100000000-199999999
> >         
> >         idmap config MARS : backend = rid
> >         idmap config MARS : range = 200000000-299999999
> >         
> >         idmap config VENUS : backend = rid
> >         idmap config VENUS : range = 150000000-399999999
> > 
> > </config>
> > 
> > <console>
> > bin/testparm smb.conf.ads > /dev/null
> > Load smb config files from smb.conf.ads
> > 
> > ERROR: Do not use the 'rid' backend for the default backend (idmap config
> > *)!
> > 
> > ERROR: The idmap range for the domain MARS overlaps with the range of
> > VENUS
> 
> Note that iirc, with Volker's recent work on idmap_ad, it
> is not forbidden any more to have overlapping idmap ranges!
> 
> At least you should be able to have multiple ad backend
> configs with the same range...

It still is not clear. Are overlapping ranges allowed

	idmap config EARTH : backend = ad
	idmap config EARTH : range = 1000-1999

	idmap config EARTH : backend = ad
	idmap config EARTH : range = 1500-2500

which I would find very strange. Or use the same range space

	idmap config EARTH : backend = ad
	idmap config EARTH : range = 1000-1999

	idmap config EARTH : backend = ad
	idmap config EARTH : range = 1000-1999


????



	Andreas


-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list