[PATCH] Check idmap config with testparm

Rowland Penny repenny241155 at gmail.com
Thu Dec 8 09:04:09 UTC 2016 

On Thu, 08 Dec 2016 09:52:34 +0100
Andreas Schneider <asn at samba.org> wrote:

> On Thursday, 8 December 2016 10:47:50 CET Alexander Bokovoy wrote:
> > On to, 08 joulu 2016, Andreas Schneider wrote:
> > > On Thursday, 8 December 2016 08:42:37 CET Michael Adam wrote:
> > > > On 2016-12-07 at 18:43 +0100, Andreas Schneider wrote:
> > > > > Hello,
> > > > > 
> > > > > you might know I work for a Distributor and fix winbind
> > > > > issues there every
> > > > > day.
> > > > > I see so many invalid idmap configurations, I think 70% of
> > > > > the configs are
> > > > > wrong or invalid.
> > > > > 
> > > > > In addition our documentation for ID mapping really sucks!
> > > > 
> > > > Hmm, I take this a little bit as a personal affront.
> > > > Let me reply with a similar non-diplomatic statement:
> > > > 
> > > > 
> > > > People should learn to read! :-)
> > > > 
> > > > 
> > > > Have you read the section about "idmap config DOMAIN : OPTION"
> > > > in "man smb.conf" and the backend specific manpages?
> > > > 
> > > > Among other things, smb.conf clearly states:
> > > >   "The first three of these [idmap_tdb, idmap_tdb2, idmap_ldap]
> > > >   create mappings of their own using internal unixid counters
> > > > and store the mappings in a database.  These are suitable for
> > > > use in the default idmap configuration."
> > > 
> > > I do read those things but our customers don't. So should we
> > > abort if something else than these backends are used for the
> > > default domain?
> > > 
> > > Simply do not start winbind ...
> > > 
> > > > As well as:
> > > >   "The configured ranges must be mutually disjoint."
> > > > 
> > > > Also, for further examples, reading the manpages of idmap_rid,
> > > > 
> > > > I see:
> > > >   "One usually needs to define a writeable default idmap range,
> > > >   using a backend like tdb or ldap that can create unix ids."
> > > > 
> > > > Looking at idmap_ad:
> > > >   "the ad backend does not work as the default idmap backend,
> > > > but one has to configure it separately for each domain for which
> > > >   one wants to use it, using disjoint ranges."
> > > > 
> > > > Enough examples. The doc is cetainly not perfect, but
> > > > saying it sucks just proves not having read it, imho.
> > > 
> > > The issue is that often our users do not read manpages. They
> > > search the web
> > > and what they find there lacks good information explanations and
> > > examples.
> > > 
> > > I know how to configure ID mapping, our customers don't and
> > > clearly do not read the smb.conf manpage :(
> > > 
> > > 
> > > This is not against you. It is also my fault that I didn't improve
> > > documentation earlier. But if our customers do not understand it,
> > > it sucks ;)
> > > 
> > > So lets improve it :-)
> > 
> > What about this patch: add a top level identity management section
> > to smb.conf(5) so that we can gather references to other
> > documentation we have around the idmap modules?
> > 
> > The suggestion then would be 'read smb.conf(5), section on identity
> > management, and all the references it contains'.
> 
> That looks good. I think somewhere we need an example of a default 
> configuration. Like
> 
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 1000000-1999999
> 
> 	idmap config DOMAIN : backend = rid
> 	idmap config DOMAIN : range = 100000000-199999999
> 
> 
> I think this is mostly used. I think this would help people to get
> started.
> 
> 
> 
> 	Andreas
> 
> 

Do you mean something like the one shown here:

https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

More information about the samba-technical mailing list