[PATCH] Check idmap config with testparm

Thu Dec 8 10:53:13 UTC 2016

On Thu, 8 Dec 2016 11:38:17 +0100
Michael Adam <obnox at samba.org> wrote:

> On 2016-12-08 at 10:14 +0000, Rowland Penny wrote:
> > On Thu, 8 Dec 2016 11:02:01 +0100
> > Volker Lendecke <vl at samba.org> wrote:
> > 
> > > On Thu, Dec 08, 2016 at 09:46:49AM +0000, Rowland Penny wrote:
> > > > I think we need to decide one way or the other, at the moment on
> > > > this Samba wiki page:
> > > > 
> > > > https://wiki.samba.org/index.php/Idmap_config_ad
> > > > 
> > > > Under the heading:
> > > > 
> > > > Advantages and Disadvantages of the ad Back End
> > > > 
> > > > and sub heading:
> > > > 
> > > > Disadvantages:
> > > > 
> > > > It says this:
> > > > 
> > > > If the Windows Active Directory Users and Computers (ADUC)
> > > > program is not used, you have to manual track ID values to
> > > > avoid duplicates.
> > > > 
> > > > So with one hand we are saying it is okay to use the
> > > > msSFU30Max*idNumber attributes, but on the other hand it isn't
> > > > if you use samba-tool. This is a bit inconsistent.
> > > 
> > > I'm afraid that I was just looking at it from a samba member
> > > perspective. For the AD DC to handle this properly we need to
> > > implement the rid allocation algorithm also for unix ids, but this
> > > time globally across the whole forest. But this horse has been
> > > beaten to death so many times that I'm not sure we still have
> > > remnants of its corpse around.
> > > 
> > > Volker
> > 
> > I think you are missing the point here, if you use ADUC, you use the
> > msSFU30Max*idNumber attributes. If you use samba-tool, you don't.
> > 
> > This is inconsistent, it is either okay to use the
> > msSFU30Max*idNumber attributes or it isn't, which is it ?
> 
> Hmm, Rowland, I am not sure I get your point.
> 
> This is about the idmap_ad module, not about the AD/DC server.
> 
> It is a client to an active directory, and retrieves user/group
> IDs from there. It is very stupid in that it can be configured
> with a range that the AD admin tells the samba admin.
> It does not know about any msSFU30Max attribute, and afaict
> does not need to.
> 
> The behavior under discussion here is that we (as of
> recently) explicitly allow to specify multiple domains
> using idmap_ad with the same range, hence transferring
> a bigger level of trust to the AD admin.
> 
> Are proposing to enhance this module to try and
> autodetect a useful range from the AD?
> 
> Cheers - Michael
> 

It sort of spun out of it being said that the 'ad' domain ranges can
overlap and if you are altering idmap_ad on a domain member, you are
also altering it on the AD DCs. You have to give users uidNumber
attributes that are inside the range you set on the domain members and
if you do this, it over rides the xidNumbers in idmap.ldb on the DCs.

So my point is, you cannot just look at this from the point of view of
idmap_ad, you have to look at in the round and in the round we are
saying it is okay to use the 'msSFU30MaxUidnumber' &
'msSFU30MaxGidNumber' attributes if you use ADUC, but you must not use
these if you use samba-tool, this is inconsistent!

Rowland