[PATCH] Check idmap config with testparm

Michael Adam obnox at samba.org
Mon Dec 12 08:37:07 UTC 2016


On 2016-12-08 at 10:46 -0800, Jeremy Allison wrote:
> On Thu, Dec 08, 2016 at 09:48:25AM +0100, Volker Lendecke wrote:
> > On Thu, Dec 08, 2016 at 07:58:40AM +0000, Rowland Penny wrote:
> > > Hi Volker, Could you explain for the idiots amongst us (i.e. me), just
> > > how this is supposed to work ?
> > 
> > The AD backend just reads the SFU attributes in Active Directory.
> > This is completely controlled by the administrator of the domains. I
> > have several customers with a global unix id allocation policy but
> > where the unix ids are spread across multiple domains in a more or
> > less random fashion. Globally unix ids are guaranteed to be unique,
> > but you can't tell from a range assignment which domain they belong
> > to. What winbind with overlapping ranges now does is just try all of
> > the domains until a mapping is found. There is no guarantee of a
> > particular order in which domains are tried, we depend on the AD
> > administration to gurantee uniqueness. This is for unixid2sid,
> > sid2unixid is simple, there we can just find the domain from the sid.
> 
> It's nice that we can do this, but I would certainly
> consider this under "Advanced" usage :-).

It may be, but if you think about it, for the AD backend
this may actually be a very common and reasonable config.

> For most regular users - a blanket "don't have overlapping
> ranges" would be very good advice !

True. But complaining with "ERROR" about a supported
(albeit advanced) config may not be the right thing..

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161212/1f368788/signature.sig>


More information about the samba-technical mailing list