[PATCH] Check idmap config with testparm

Michael Adam obnox at samba.org
Thu Dec 8 10:38:17 UTC 2016 

On 2016-12-08 at 10:14 +0000, Rowland Penny wrote:
> On Thu, 8 Dec 2016 11:02:01 +0100
> Volker Lendecke <vl at samba.org> wrote:
> 
> > On Thu, Dec 08, 2016 at 09:46:49AM +0000, Rowland Penny wrote:
> > > I think we need to decide one way or the other, at the moment on
> > > this Samba wiki page:
> > > 
> > > https://wiki.samba.org/index.php/Idmap_config_ad
> > > 
> > > Under the heading:
> > > 
> > > Advantages and Disadvantages of the ad Back End
> > > 
> > > and sub heading:
> > > 
> > > Disadvantages:
> > > 
> > > It says this:
> > > 
> > > If the Windows Active Directory Users and Computers (ADUC) program
> > > is not used, you have to manual track ID values to avoid duplicates.
> > > 
> > > So with one hand we are saying it is okay to use the
> > > msSFU30Max*idNumber attributes, but on the other hand it isn't if
> > > you use samba-tool. This is a bit inconsistent.
> > 
> > I'm afraid that I was just looking at it from a samba member
> > perspective. For the AD DC to handle this properly we need to
> > implement the rid allocation algorithm also for unix ids, but this
> > time globally across the whole forest. But this horse has been beaten
> > to death so many times that I'm not sure we still have remnants of
> > its corpse around.
> > 
> > Volker
> 
> I think you are missing the point here, if you use ADUC, you use the
> msSFU30Max*idNumber attributes. If you use samba-tool, you don't.
> 
> This is inconsistent, it is either okay to use the msSFU30Max*idNumber 
> attributes or it isn't, which is it ?

Hmm, Rowland, I am not sure I get your point.

This is about the idmap_ad module, not about the AD/DC server.

It is a client to an active directory, and retrieves user/group
IDs from there. It is very stupid in that it can be configured
with a range that the AD admin tells the samba admin.
It does not know about any msSFU30Max attribute, and afaict
does not need to.

The behavior under discussion here is that we (as of
recently) explicitly allow to specify multiple domains
using idmap_ad with the same range, hence transferring
a bigger level of trust to the AD admin.

Are proposing to enhance this module to try and
autodetect a useful range from the AD?

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161208/1dd2e5bb/signature.sig>

More information about the samba-technical mailing list