[PATCH] Check idmap config with testparm

Rowland Penny repenny241155 at gmail.com
Thu Dec 8 12:14:46 UTC 2016 

See inline comments:

On Thu, 8 Dec 2016 12:44:44 +0100
Michael Adam <obnox at samba.org> wrote:

> On 2016-12-08 at 10:53 +0000, Rowland Penny wrote:

> > 
> > It sort of spun out of it being said that the 'ad' domain ranges can
> > overlap and if you are altering idmap_ad on a domain member, you are
> > also altering it on the AD DCs.
> 
> I don't think this has been said.

Not explicitly, but to get idmap_ad working on a domain member
means adding uidNumber attributes to users in AD and this alters a
Samba AD DC

> 
> The idmap_ad module is merely a (read-only!) client of AD.
> Neither does it know nor does it care how the AD admin
> makes sure the IDs stay the same across the forest, i.e.
> does not care about ADUC or samba-tool.

Yes, it is down to the admin, but we are being inconsistent, yes it is
okay to use the counters that Microsoft provided in AD if you use ADUC,
but you cannot do this if you use samba-tool.

> 
> There is a certain situation in AD.
> The AD admin communicates that to the Samba admin.
> The samba admin creates a corresponding idmap config.
> That's it.

Hang on, Samba provides the AD as well, so the 'AD admin' and the
'Samba admin' could be the same person.

> 
> > You have to give users uidNumber
> > attributes that are inside the range you set on the domain members
> > and if you do this, it over rides the xidNumbers in idmap.ldb on
> > the DCs.
> 
> Right, when a samba AD/DC comes into play, things are getting
> a little whacky. But the imap_ad module does not know about
> idmap.ldb (which has been a mistake in the first place
> if you ask me). No member should care about idmap.ldb.
> The id-mapping on the DC itself is completely independent
> of the id-mapping on the member.
>

The id-mapping isn't independent of the id-mapping on a domain member,
for one thing it isn't mapping, you explicitly set a UID for a user in
AD. Also if you do give a user a uidNumber, it overrides the
xidNumber the user has in idmap.ldb, this way users have the same ID
everywhere.
 
> We *could* implement an id-mapping for a samba-ad-member
> that uses certain pieces of knowledge about the samba
> domain, but this here is not that discussion!

Totally agree on this

> 
> > So my point is, you cannot just look at this from the point of view
> > of idmap_ad,
> 
> No. We *have to* look at it only from the pov of idmap_ad.
> Simple read-only client. Stupid. Trusting. Period. :-)

Yes it is read-only, but it affects Samba DCs

> 
> > you have to look at in the round and in the round we are
> > saying it is okay to use the 'msSFU30MaxUidnumber' &
> > 'msSFU30MaxGidNumber' attributes if you use ADUC, but you must not
> > use these if you use samba-tool, this is inconsistent!
> 
> Sorry, I don't even know what that means.
> (Saying "it is ok or not ok to use msSFU30MaxGidNumber" ...)

If you use ADUC, the next UID & GID are stored in AD, it seems this
is okay, but this is not allowed if you use samba-tool

Rowland

More information about the samba-technical mailing list