[PATCH] Check idmap config with testparm
jra at samba.org
Thu Dec 8 18:46:04 UTC 2016
On Thu, Dec 08, 2016 at 09:48:25AM +0100, Volker Lendecke wrote:
> On Thu, Dec 08, 2016 at 07:58:40AM +0000, Rowland Penny wrote:
> > Hi Volker, Could you explain for the idiots amongst us (i.e. me), just
> > how this is supposed to work ?
> The AD backend just reads the SFU attributes in Active Directory.
> This is completely controlled by the administrator of the domains. I
> have several customers with a global unix id allocation policy but
> where the unix ids are spread across multiple domains in a more or
> less random fashion. Globally unix ids are guaranteed to be unique,
> but you can't tell from a range assignment which domain they belong
> to. What winbind with overlapping ranges now does is just try all of
> the domains until a mapping is found. There is no guarantee of a
> particular order in which domains are tried, we depend on the AD
> administration to gurantee uniqueness. This is for unixid2sid,
> sid2unixid is simple, there we can just find the domain from the sid.
It's nice that we can do this, but I would certainly
consider this under "Advanced" usage :-).
For most regular users - a blanket "don't have overlapping
ranges" would be very good advice !
More information about the samba-technical