[PATCH] Check idmap config with testparm

Andreas Schneider asn at samba.org
Mon Dec 12 09:15:47 UTC 2016 

On Monday, 12 December 2016 09:37:07 CET Michael Adam wrote:
> On 2016-12-08 at 10:46 -0800, Jeremy Allison wrote:
> > On Thu, Dec 08, 2016 at 09:48:25AM +0100, Volker Lendecke wrote:
> > > On Thu, Dec 08, 2016 at 07:58:40AM +0000, Rowland Penny wrote:
> > > > Hi Volker, Could you explain for the idiots amongst us (i.e. me), just
> > > > how this is supposed to work ?
> > > 
> > > The AD backend just reads the SFU attributes in Active Directory.
> > > This is completely controlled by the administrator of the domains. I
> > > have several customers with a global unix id allocation policy but
> > > where the unix ids are spread across multiple domains in a more or
> > > less random fashion. Globally unix ids are guaranteed to be unique,
> > > but you can't tell from a range assignment which domain they belong
> > > to. What winbind with overlapping ranges now does is just try all of
> > > the domains until a mapping is found. There is no guarantee of a
> > > particular order in which domains are tried, we depend on the AD
> > > administration to gurantee uniqueness. This is for unixid2sid,
> > > sid2unixid is simple, there we can just find the domain from the sid.
> > 
> > It's nice that we can do this, but I would certainly
> > consider this under "Advanced" usage :-).
> 
> It may be, but if you think about it, for the AD backend
> this may actually be a very common and reasonable config.
> 
> > For most regular users - a blanket "don't have overlapping
> > ranges" would be very good advice !
> 
> True. But complaining with "ERROR" about a supported
> (albeit advanced) config may not be the right thing..

Here is an updated patchset. For imapd_ad overlapping configs it will issue a 
NOTE that they overlap, for all other combnation it will print an error.


Michael and I also implemented that winbind fails if an invalid idmap default 
backend is specified.


If nobody pushes it earlier or objects, I will push it tomorrow.



Thanks,



	Andreas



-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testparm_idmap_v3.patch
Type: text/x-patch
Size: 9573 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161212/e5974b9c/testparm_idmap_v3.bin>

More information about the samba-technical mailing list