[PATCH] Check if the idmap_hash range is big enough
obnox at samba.org
Wed Feb 15 22:08:19 UTC 2017
On 2017-02-15 at 14:43 +0100, Andreas Schneider wrote:
> On Wednesday, 15 February 2017 14:21:22 CET Ralph Böhme wrote:
> > On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:
> > > On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > > > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > > > > + The module divides the the range into subranges for treated
> > > > > domains.
> > > > >
> > > > ^^^^^^^
> > > >
> > > > Is this a new AD trust type?
> > > >
> > > > "I treat you the way you treat me!"
> > > >
> > > > :)
> > >
> > > Well, there is BUILTIN and the local domain. How would you describe it?
> > I might be missing something, but I was assuming it's a typo and you meant
> > "trusted" ?
> Michael are 500000 IDs enough for just one domain or do you need also 500000
> IDs for BULTIN and the local domain?
Iirc, currently BUILTIN and local domain are treated by the group
mapping mechanisms that use the allocate_id method and the do not
appear as proper domains in * id-mapping by default.
allocate id is not implemented by idmap_hash currently.
This idmap_hash manpage should carry a big caveat
"DO NOT USE THIS MODULE - IT HAS CONCEPTUAL PROBLEMS" ... :-)
Like: two different domains have a >0% chance of colliding
and consuming the same range. Not funny!
And if the domain has more then the ~ 500,000 objects, then
the IDs wir wrap around, i.e. RID and RID+524288 from the same
domain will have the same Unix ID associated ....
> Or do you need it for each additional trusted domain only?
yeah unless they happen to consume the same range... :-/
Regarding your patch:
- The check for 500000 seems a bit heuristic to me.
- I (still) don't like the fact that the testparm binary
tests stuff for the modules which are kind of
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: not available
More information about the samba-technical