[PATCH] Check idmap config with testparm

Thu Dec 8 11:44:44 UTC 2016

On 2016-12-08 at 10:53 +0000, Rowland Penny wrote:
> On Thu, 8 Dec 2016 11:38:17 +0100
> Michael Adam <obnox at samba.org> wrote:
> 
> > On 2016-12-08 at 10:14 +0000, Rowland Penny wrote:
> > > On Thu, 8 Dec 2016 11:02:01 +0100
> > > Volker Lendecke <vl at samba.org> wrote:
> > > 
> > > > On Thu, Dec 08, 2016 at 09:46:49AM +0000, Rowland Penny wrote:
> > > > > I think we need to decide one way or the other, at the moment on
> > > > > this Samba wiki page:
> > > > > 
> > > > > https://wiki.samba.org/index.php/Idmap_config_ad
> > > > > 
> > > > > Under the heading:
> > > > > 
> > > > > Advantages and Disadvantages of the ad Back End
> > > > > 
> > > > > and sub heading:
> > > > > 
> > > > > Disadvantages:
> > > > > 
> > > > > It says this:
> > > > > 
> > > > > If the Windows Active Directory Users and Computers (ADUC)
> > > > > program is not used, you have to manual track ID values to
> > > > > avoid duplicates.
> > > > > 
> > > > > So with one hand we are saying it is okay to use the
> > > > > msSFU30Max*idNumber attributes, but on the other hand it isn't
> > > > > if you use samba-tool. This is a bit inconsistent.
> > > > 
> > > > I'm afraid that I was just looking at it from a samba member
> > > > perspective. For the AD DC to handle this properly we need to
> > > > implement the rid allocation algorithm also for unix ids, but this
> > > > time globally across the whole forest. But this horse has been
> > > > beaten to death so many times that I'm not sure we still have
> > > > remnants of its corpse around.
> > > > 
> > > > Volker
> > > 
> > > I think you are missing the point here, if you use ADUC, you use the
> > > msSFU30Max*idNumber attributes. If you use samba-tool, you don't.
> > > 
> > > This is inconsistent, it is either okay to use the
> > > msSFU30Max*idNumber attributes or it isn't, which is it ?
> > 
> > Hmm, Rowland, I am not sure I get your point.
> > 
> > This is about the idmap_ad module, not about the AD/DC server.
> > 
> > It is a client to an active directory, and retrieves user/group
> > IDs from there. It is very stupid in that it can be configured
> > with a range that the AD admin tells the samba admin.
> > It does not know about any msSFU30Max attribute, and afaict
> > does not need to.
> > 
> > The behavior under discussion here is that we (as of
> > recently) explicitly allow to specify multiple domains
> > using idmap_ad with the same range, hence transferring
> > a bigger level of trust to the AD admin.
> > 
> > Are proposing to enhance this module to try and
> > autodetect a useful range from the AD?
> > 
> > Cheers - Michael
> > 
> 
> It sort of spun out of it being said that the 'ad' domain ranges can
> overlap and if you are altering idmap_ad on a domain member, you are
> also altering it on the AD DCs.

I don't think this has been said.

The idmap_ad module is merely a (read-only!) client of AD.
Neither does it know nor does it care how the AD admin
makes sure the IDs stay the same across the forest, i.e.
does not care about ADUC or samba-tool.

There is a certain situation in AD.
The AD admin communicates that to the Samba admin.
The samba admin creates a corresponding idmap config.
That's it.

> You have to give users uidNumber
> attributes that are inside the range you set on the domain members and
> if you do this, it over rides the xidNumbers in idmap.ldb on the DCs.

Right, when a samba AD/DC comes into play, things are getting
a little whacky. But the imap_ad module does not know about
idmap.ldb (which has been a mistake in the first place
if you ask me). No member should care about idmap.ldb.
The id-mapping on the DC itself is completely independent
of the id-mapping on the member.

We *could* implement an id-mapping for a samba-ad-member
that uses certain pieces of knowledge about the samba
domain, but this here is not that discussion!

> So my point is, you cannot just look at this from the point of view of
> idmap_ad,

No. We *have to* look at it only from the pov of idmap_ad.
Simple read-only client. Stupid. Trusting. Period. :-)

> you have to look at in the round and in the round we are
> saying it is okay to use the 'msSFU30MaxUidnumber' &
> 'msSFU30MaxGidNumber' attributes if you use ADUC, but you must not use
> these if you use samba-tool, this is inconsistent!

Sorry, I don't even know what that means.
(Saying "it is ok or not ok to use msSFU30MaxGidNumber" ...)

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161208/51e86183/signature.sig>