[PATCH] Check idmap config with testparm
asn at samba.org
Mon Dec 12 09:15:47 UTC 2016
On Monday, 12 December 2016 09:37:07 CET Michael Adam wrote:
> On 2016-12-08 at 10:46 -0800, Jeremy Allison wrote:
> > On Thu, Dec 08, 2016 at 09:48:25AM +0100, Volker Lendecke wrote:
> > > On Thu, Dec 08, 2016 at 07:58:40AM +0000, Rowland Penny wrote:
> > > > Hi Volker, Could you explain for the idiots amongst us (i.e. me), just
> > > > how this is supposed to work ?
> > >
> > > The AD backend just reads the SFU attributes in Active Directory.
> > > This is completely controlled by the administrator of the domains. I
> > > have several customers with a global unix id allocation policy but
> > > where the unix ids are spread across multiple domains in a more or
> > > less random fashion. Globally unix ids are guaranteed to be unique,
> > > but you can't tell from a range assignment which domain they belong
> > > to. What winbind with overlapping ranges now does is just try all of
> > > the domains until a mapping is found. There is no guarantee of a
> > > particular order in which domains are tried, we depend on the AD
> > > administration to gurantee uniqueness. This is for unixid2sid,
> > > sid2unixid is simple, there we can just find the domain from the sid.
> > It's nice that we can do this, but I would certainly
> > consider this under "Advanced" usage :-).
> It may be, but if you think about it, for the AD backend
> this may actually be a very common and reasonable config.
> > For most regular users - a blanket "don't have overlapping
> > ranges" would be very good advice !
> True. But complaining with "ERROR" about a supported
> (albeit advanced) config may not be the right thing..
Here is an updated patchset. For imapd_ad overlapping configs it will issue a
NOTE that they overlap, for all other combnation it will print an error.
Michael and I also implemented that winbind fails if an invalid idmap default
backend is specified.
If nobody pushes it earlier or objects, I will push it tomorrow.
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 9573 bytes
Desc: not available
More information about the samba-technical