[PATCH] Check idmap config with testparm
Rowland Penny
repenny241155 at gmail.com
Thu Dec 8 09:04:09 UTC 2016
On Thu, 08 Dec 2016 09:52:34 +0100
Andreas Schneider <asn at samba.org> wrote:
> On Thursday, 8 December 2016 10:47:50 CET Alexander Bokovoy wrote:
> > On to, 08 joulu 2016, Andreas Schneider wrote:
> > > On Thursday, 8 December 2016 08:42:37 CET Michael Adam wrote:
> > > > On 2016-12-07 at 18:43 +0100, Andreas Schneider wrote:
> > > > > Hello,
> > > > >
> > > > > you might know I work for a Distributor and fix winbind
> > > > > issues there every
> > > > > day.
> > > > > I see so many invalid idmap configurations, I think 70% of
> > > > > the configs are
> > > > > wrong or invalid.
> > > > >
> > > > > In addition our documentation for ID mapping really sucks!
> > > >
> > > > Hmm, I take this a little bit as a personal affront.
> > > > Let me reply with a similar non-diplomatic statement:
> > > >
> > > >
> > > > People should learn to read! :-)
> > > >
> > > >
> > > > Have you read the section about "idmap config DOMAIN : OPTION"
> > > > in "man smb.conf" and the backend specific manpages?
> > > >
> > > > Among other things, smb.conf clearly states:
> > > > "The first three of these [idmap_tdb, idmap_tdb2, idmap_ldap]
> > > > create mappings of their own using internal unixid counters
> > > > and store the mappings in a database. These are suitable for
> > > > use in the default idmap configuration."
> > >
> > > I do read those things but our customers don't. So should we
> > > abort if something else than these backends are used for the
> > > default domain?
> > >
> > > Simply do not start winbind ...
> > >
> > > > As well as:
> > > > "The configured ranges must be mutually disjoint."
> > > >
> > > > Also, for further examples, reading the manpages of idmap_rid,
> > > >
> > > > I see:
> > > > "One usually needs to define a writeable default idmap range,
> > > > using a backend like tdb or ldap that can create unix ids."
> > > >
> > > > Looking at idmap_ad:
> > > > "the ad backend does not work as the default idmap backend,
> > > > but one has to configure it separately for each domain for which
> > > > one wants to use it, using disjoint ranges."
> > > >
> > > > Enough examples. The doc is cetainly not perfect, but
> > > > saying it sucks just proves not having read it, imho.
> > >
> > > The issue is that often our users do not read manpages. They
> > > search the web
> > > and what they find there lacks good information explanations and
> > > examples.
> > >
> > > I know how to configure ID mapping, our customers don't and
> > > clearly do not read the smb.conf manpage :(
> > >
> > >
> > > This is not against you. It is also my fault that I didn't improve
> > > documentation earlier. But if our customers do not understand it,
> > > it sucks ;)
> > >
> > > So lets improve it :-)
> >
> > What about this patch: add a top level identity management section
> > to smb.conf(5) so that we can gather references to other
> > documentation we have around the idmap modules?
> >
> > The suggestion then would be 'read smb.conf(5), section on identity
> > management, and all the references it contains'.
>
> That looks good. I think somewhere we need an example of a default
> configuration. Like
>
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
>
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 100000000-199999999
>
>
> I think this is mostly used. I think this would help people to get
> started.
>
>
>
> Andreas
>
>
Do you mean something like the one shown here:
https://wiki.samba.org/index.php/Idmap_config_rid
Rowland
More information about the samba-technical
mailing list