[PATCH] Check idmap config with testparm

Alexander Bokovoy ab at samba.org
Thu Dec 8 09:03:50 UTC 2016 

On to, 08 joulu 2016, Andreas Schneider wrote:
> On Thursday, 8 December 2016 10:47:50 CET Alexander Bokovoy wrote:
> > On to, 08 joulu 2016, Andreas Schneider wrote:
> > > On Thursday, 8 December 2016 08:42:37 CET Michael Adam wrote:
> > > > On 2016-12-07 at 18:43 +0100, Andreas Schneider wrote:
> > > > > Hello,
> > > > > 
> > > > > you might know I work for a Distributor and fix winbind issues there
> > > > > every
> > > > > day.
> > > > > I see so many invalid idmap configurations, I think 70% of the configs
> > > > > are
> > > > > wrong or invalid.
> > > > > 
> > > > > In addition our documentation for ID mapping really sucks!
> > > > 
> > > > Hmm, I take this a little bit as a personal affront.
> > > > Let me reply with a similar non-diplomatic statement:
> > > > 
> > > > 
> > > > People should learn to read! :-)
> > > > 
> > > > 
> > > > Have you read the section about "idmap config DOMAIN : OPTION" in
> > > > "man smb.conf" and the backend specific manpages?
> > > > 
> > > > Among other things, smb.conf clearly states:
> > > >   "The first three of these [idmap_tdb, idmap_tdb2, idmap_ldap]
> > > >   create mappings of their own using internal unixid counters and
> > > >   store the mappings in a database.  These are suitable for use in
> > > >   the default idmap configuration."
> > > 
> > > I do read those things but our customers don't. So should we abort if
> > > something else than these backends are used for the default domain?
> > > 
> > > Simply do not start winbind ...
> > > 
> > > > As well as:
> > > >   "The configured ranges must be mutually disjoint."
> > > > 
> > > > Also, for further examples, reading the manpages of idmap_rid,
> > > > 
> > > > I see:
> > > >   "One usually needs to define a writeable default idmap range,
> > > >   using a backend like tdb or ldap that can create unix ids."
> > > > 
> > > > Looking at idmap_ad:
> > > >   "the ad backend does not work as the default idmap backend, but
> > > >   one has to configure it separately for each domain for which
> > > >   one wants to use it, using disjoint ranges."
> > > > 
> > > > Enough examples. The doc is cetainly not perfect, but
> > > > saying it sucks just proves not having read it, imho.
> > > 
> > > The issue is that often our users do not read manpages. They search the
> > > web
> > > and what they find there lacks good information explanations and examples.
> > > 
> > > I know how to configure ID mapping, our customers don't and clearly do not
> > > read the smb.conf manpage :(
> > > 
> > > 
> > > This is not against you. It is also my fault that I didn't improve
> > > documentation earlier. But if our customers do not understand it, it sucks
> > > ;)
> > > 
> > > So lets improve it :-)
> > 
> > What about this patch: add a top level identity management section to
> > smb.conf(5) so that we can gather references to other documentation we
> > have around the idmap modules?
> > 
> > The suggestion then would be 'read smb.conf(5), section on identity
> > management, and all the references it contains'.
> 
> That looks good. I think somewhere we need an example of a default 
> configuration. Like
> 
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 1000000-1999999
> 
> 	idmap config DOMAIN : backend = rid
> 	idmap config DOMAIN : range = 100000000-199999999
> 
> 
> I think this is mostly used. I think this would help people to get started.
We have it already in 'idmap config DOMAIN : OPTION' description. I
don't think we should duplicate that -- the only difference is that it
uses 'ad' instead of 'rid'.

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list