[PATCH] Check if the idmap_hash range is big enough

Michael Adam obnox at samba.org
Wed Feb 15 22:08:19 UTC 2017


On 2017-02-15 at 14:43 +0100, Andreas Schneider wrote:
> On Wednesday, 15 February 2017 14:21:22 CET Ralph Böhme wrote:
> > On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:
> > > On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > > > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > > > > +	  The module divides the the range into subranges for treated
> > > > > domains.
> > > > > 
> > > >                                                               ^^^^^^^
> > > > 
> > > > Is this a new AD trust type?
> > > > 
> > > > "I treat you the way you treat me!"
> > > > 
> > > > :)
> > > 
> > > Well, there is BUILTIN and the local domain. How would you describe it?
> > 
> > I might be missing something, but I was assuming it's a typo and you meant
> > "trusted" ?
> 
> Michael are 500000 IDs enough for just one domain or do you need also 500000 
> IDs for BULTIN and the local domain?

Iirc, currently BUILTIN and local domain are treated by the group
mapping mechanisms that use the allocate_id method and the do not
appear as proper domains in * id-mapping by default.

allocate id is not implemented by idmap_hash currently.

This idmap_hash manpage should carry a big caveat
"DO NOT USE THIS MODULE - IT HAS CONCEPTUAL PROBLEMS" ... :-)

Like: two different domains have a >0% chance of colliding
and consuming the same range. Not funny!

And if the domain has more then the ~ 500,000 objects, then
the IDs wir wrap around, i.e. RID and RID+524288 from the same
domain will have the same Unix ID associated ....

> Or do you need it for each additional trusted domain only?

yeah unless they happen to consume the same range... :-/

Regarding your patch:

- The check for 500000 seems a bit heuristic to me.
- I (still) don't like the fact that the testparm binary
  tests stuff for the modules which are kind of
  separate.

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170215/45dc6e8c/signature.sig>


More information about the samba-technical mailing list