[PATCH] Check idmap config with testparm

Alexander Bokovoy ab at samba.org
Mon Dec 12 13:28:08 UTC 2016 

On ma, 12 joulu 2016, Alexander Bokovoy wrote:
> On to, 08 joulu 2016, Michael Adam wrote:
> > On 2016-12-08 at 10:47 +0200, Alexander Bokovoy wrote:
> > > On to, 08 joulu 2016, Andreas Schneider wrote:
> > > > On Thursday, 8 December 2016 08:42:37 CET Michael Adam wrote:
> > > > > On 2016-12-07 at 18:43 +0100, Andreas Schneider wrote:
> > > > > > Hello,
> > > > > > 
> > > > > > you might know I work for a Distributor and fix winbind issues there every
> > > > > > day.
> > > > > > I see so many invalid idmap configurations, I think 70% of the configs are
> > > > > > wrong or invalid.
> > > > > > 
> > > > > > In addition our documentation for ID mapping really sucks!
> > > > > 
> > > > > Hmm, I take this a little bit as a personal affront.
> > > > > Let me reply with a similar non-diplomatic statement:
> > > > > 
> > > > > 
> > > > > People should learn to read! :-)
> > > > > 
> > > > > 
> > > > > Have you read the section about "idmap config DOMAIN : OPTION" in
> > > > > "man smb.conf" and the backend specific manpages?
> > > > > 
> > > > > Among other things, smb.conf clearly states:
> > > > > 
> > > > >   "The first three of these [idmap_tdb, idmap_tdb2, idmap_ldap]
> > > > >   create mappings of their own using internal unixid counters and
> > > > >   store the mappings in a database.  These are suitable for use in
> > > > >   the default idmap configuration."
> > > > 
> > > > I do read those things but our customers don't. So should we abort if 
> > > > something else than these backends are used for the default domain?
> > > > 
> > > > Simply do not start winbind ...
> > > > 
> > > > > 
> > > > > As well as:
> > > > > 
> > > > >   "The configured ranges must be mutually disjoint."
> > > > > 
> > > > > Also, for further examples, reading the manpages of idmap_rid,
> > > > > I see:
> > > > > 
> > > > >   "One usually needs to define a writeable default idmap range,
> > > > >   using a backend like tdb or ldap that can create unix ids."
> > > > > 
> > > > > Looking at idmap_ad:
> > > > > 
> > > > >   "the ad backend does not work as the default idmap backend, but
> > > > >   one has to configure it separately for each domain for which
> > > > >   one wants to use it, using disjoint ranges."
> > > > > 
> > > > > 
> > > > > Enough examples. The doc is cetainly not perfect, but
> > > > > saying it sucks just proves not having read it, imho.
> > > > 
> > > > The issue is that often our users do not read manpages. They search the web 
> > > > and what they find there lacks good information explanations and examples.
> > > > 
> > > > I know how to configure ID mapping, our customers don't and clearly do not 
> > > > read the smb.conf manpage :(
> > > > 
> > > > 
> > > > This is not against you. It is also my fault that I didn't improve 
> > > > documentation earlier. But if our customers do not understand it, it sucks ;)
> > > > 
> > > > So lets improve it :-)
> > > > 
> > > What about this patch: add a top level identity management section to
> > > smb.conf(5) so that we can gather references to other documentation we
> > > have around the idmap modules?
> > > 
> > > The suggestion then would be 'read smb.conf(5), section on identity
> > > management, and all the references it contains'.
> > > 
> > > > 
> > > > > 
> > > > > > So I had a call with Marc and he started to improve it. See the User
> > > > > > documentation in the Wiki.
> > > > > > 
> > > > > > While trying to chase down a winbindd bug the last days I read all the
> > > > > > changes last year and stumbled upon Volkers nice
> > > > > > lp_wi_scan_global_parametrics() function again. So I decided it is time
> > > > > > to check the idmap config in testparm.
> > > > > This is an excellent idea!
> > > > > (Don't rely on reading capabilities is always the safe bet... ;-)
> > > > > 
> > > > > > So here we go ...
> > > > > > 
> > > > > > 
> > > > > > <config>
> > > > > > 
> > > > > >         idmap config * : backend = rid
> > > > > >         idmap config * : range = 1000000-1999999
> > > > > >         
> > > > > >         # Winbind domain idmap
> > > > > >         idmap config EARTH : backend = rid
> > > > > >         idmap config EARTH : range = 100000000-199999999
> > > > > >         
> > > > > >         idmap config MARS : backend = rid
> > > > > >         idmap config MARS : range = 200000000-299999999
> > > > > >         
> > > > > >         idmap config VENUS : backend = rid
> > > > > >         idmap config VENUS : range = 150000000-399999999
> > > > > > 
> > > > > > </config>
> > > > > > 
> > > > > > <console>
> > > > > > bin/testparm smb.conf.ads > /dev/null
> > > > > > Load smb config files from smb.conf.ads
> > > > > > 
> > > > > > ERROR: Do not use the 'rid' backend for the default backend (idmap config
> > > > > > *)!
> > > > > > 
> > > > > > ERROR: The idmap range for the domain MARS overlaps with the range of
> > > > > > VENUS
> > > > > 
> > > > > Note that iirc, with Volker's recent work on idmap_ad, it
> > > > > is not forbidden any more to have overlapping idmap ranges!
> > > > > 
> > > > > At least you should be able to have multiple ad backend
> > > > > configs with the same range...
> > > > 
> > > > It still is not clear. Are overlapping ranges allowed
> > > > 
> > > > 	idmap config EARTH : backend = ad
> > > > 	idmap config EARTH : range = 1000-1999
> > > > 
> > > > 	idmap config EARTH : backend = ad
> > > > 	idmap config EARTH : range = 1500-2500
> > > > 
> > > > which I would find very strange. Or use the same range space
> > > > 
> > > > 	idmap config EARTH : backend = ad
> > > > 	idmap config EARTH : range = 1000-1999
> > > > 
> > > > 	idmap config EARTH : backend = ad
> > > > 	idmap config EARTH : range = 1000-1999
> > > > 
> > > > 
> > > > ????
> > > > 
> > > > 
> > > > 
> > > > 	Andreas
> > > > 
> > > > 
> > > > -- 
> > > > Andreas Schneider                   GPG-ID: CC014E3D
> > > > Samba Team                             asn at samba.org
> > > > www.samba.org
> > > > 
> > > 
> > > -- 
> > > / Alexander Bokovoy
> > 
> > > From d72988a0f4efd967963ddbb960268294a4d74899 Mon Sep 17 00:00:00 2001
> > > From: Alexander Bokovoy <ab at samba.org>
> > > Date: Thu, 8 Dec 2016 10:21:53 +0200
> > > Subject: [PATCH] smb.conf: add identity management section
> > > 
> > > Add a generic identity management section that points out to the other
> > > resources in Samba documentation about idmap modules and their
> > > configuration.
> > > 
> > > This should help users to discover corresponding documentation easily.
> > 
> > This is a very good proposal!
> > A few detail comments inline below:
> Thanks for the comments, Michael.
> 
> Updated patch attached. I added an example from idmap_rid documentation
> to this section to show use of the options and keep it slightly
> different from the example in 'idmap config' option, for the benefit of
> showing more examples.
Sorry, missed an opening tag for citerefentry in the last reference in
the patch.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 7b92509c050742df6122802aa4753656ec664166 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Thu, 8 Dec 2016 10:21:53 +0200
Subject: [PATCH] smb.conf: add identity mapping section

Add a generic identity mapping section that points out to the other
resources in Samba documentation about idmap modules and their
configuration.

This should help users to discover corresponding documentation easily.

Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
 docs-xml/manpages/smb.conf.5.xml | 60 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/docs-xml/manpages/smb.conf.5.xml b/docs-xml/manpages/smb.conf.5.xml
index 10c1fb4..402c1d7 100644
--- a/docs-xml/manpages/smb.conf.5.xml
+++ b/docs-xml/manpages/smb.conf.5.xml
@@ -754,6 +754,66 @@ chmod 1770 /usr/local/samba/lib/usershares
 
 </refsect1>
 
+<refsect1 ID="IDMAPCONSIDERATIONS">
+	<title>IDENTITY MAPPING CONSIDERATIONS</title>
+
+	<para>
+	In the SMB protocol, users, groups, and machines are represented by their security identifiers (SIDs).
+	On POSIX system Samba processes need to run under corresponding POSIX user identities and
+	with supplemental POSIX groups to allow access to the files owned by those users and groups.
+	The process of mapping SIDs to POSIX users and groups is called <emphasis>IDENTITY MAPPING</emphasis>
+	or, in short, <emphasis>ID MAPPING</emphasis>.
+	</para>
+
+	<para>
+	Samba supports multiple ways to map SIDs to POSIX users and groups. The configuration is driven by
+	the <smbconfoption name="idmap config DOMAIN : OPTION"/> option which allows one to specify identity
+	mapping (idmap) options for each domain	separately.
+	</para>
+
+	<para>
+	Identity mapping modules implement different strategies for mapping of SIDs to POSIX user and group
+	identities. They are applicable to different use cases and scenarios. It is advised to read the documentation
+	of the individual identity mapping modules before choosing a specific scenario to use. Each identity
+	management module is documented in a separate manual page. The standard idmap backends are
+	tdb (<citerefentry><refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	tdb2 (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	rid (<citerefentry><refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	hash (<citerefentry><refentrytitle>idmap_hash</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	autorid (<citerefentry><refentrytitle>idmap_autorid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	ad (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+	nss (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), and
+	rfc2307 (<citerefentry><refentrytitle>idmap_rfc2307</refentrytitle> <manvolnum>8</manvolnum></citerefentry>).
+	</para>
+
+	<para>
+	Overall, ID mapping configuration should be decided carefully. Changes to the already deployed ID mapping
+	configuration may create the risk of losing access to the data or disclosing the data to the wrong parties.
+	</para>
+
+	<para>
+	This example shows how to configure two domains with <citerefentry><refentrytitle>idmap_rid</refentrytitle>
+	<manvolnum>8</manvolnum> </citerefentry>, the principal domain and a trusted domain,
+	leaving the default id mapping scheme at tdb.
+	</para>
+
+	<programlisting>
+	[global]
+	security = domain
+	workgroup = MAIN
+
+	idmap config * : backend        = tdb
+	idmap config * : range          = 1000000-1999999
+
+	idmap config MAIN : backend     = rid
+	idmap config MAIN : range       = 10000 - 49999
+
+	idmap config TRUSTED : backend  = rid
+	idmap config TRUSTED : range    = 50000 - 99999
+	</programlisting>
+</refsect1>
+
 <refsect1>
 	<title>EXPLANATION OF EACH PARAMETER</title>
 	
-- 
2.9.3

More information about the samba-technical mailing list