[PATCH] Check if the idmap_hash range is big enough

Andreas Schneider asn at samba.org
Tue Feb 21 08:32:53 UTC 2017 

On Tuesday, 21 February 2017 02:10:17 CET Michael Adam wrote:
> On 2017-02-20 at 11:51 +0100, Andreas Schneider wrote:
> > On Friday, 17 February 2017 18:44:34 CET Michael Adam wrote:
> > > > -	idmap config * : range = 1000-4000000000
> > > > +	idmap config * : range = 100000-4000000000
> > > 
> > > If you want to catch as much as possible of a domain
> > > that gets hashed to 0, then the lower bound needs to
> > > be as low as possible, hence the 1000. But then,
> > > the first 1000 rids in a domain will be used as well,
> > > and hence why not skip this first range entirely
> > > and start at 500000 ? ;-)
> > 
> > Ok, lets start there. I think we should suggest 525000 that is big enough
> > and easy to deal with for our users.
> > 
> > > So:
> > > 
> > > - the idmap hash module, when used for "idmap config *",
> > > 
> > >   ideally should have the full range of
> > >   0 - 2147483648 which is not quite possible (at the low
> > >   end at least)...
> > 
> > The best is to start with 500000. 1000 is normally the start for local
> > users.
> Now what? 500000 or 525000 ? :-)
> 
> > See attached patchset.
> > 
> > 	Andreas
> > 
> > From c0f379a680613fdb28a23d0cf2e3ed9ace260fd7 Mon Sep 17 00:00:00 2001
> > From: Andreas Schneider <asn at samba.org>
> > Date: Wed, 15 Feb 2017 08:55:24 +0100
> > Subject: [PATCH 1/2] docs: Improve the idmap_hash manpage
> > 
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
> > 
> > Signed-off-by: Andreas Schneider <asn at samba.org>
> > ---
> > 
> >  docs-xml/manpages/idmap_hash.8.xml | 7 ++++++-
> >  1 file changed, 6 insertions(+), 1 deletion(-)
> > 
> > diff --git a/docs-xml/manpages/idmap_hash.8.xml
> > b/docs-xml/manpages/idmap_hash.8.xml index 9f4f1d1933c..a9230498efe
> > 100644
> > --- a/docs-xml/manpages/idmap_hash.8.xml
> > +++ b/docs-xml/manpages/idmap_hash.8.xml
> > @@ -24,6 +24,11 @@
> > 
> >  	  to support a local name mapping files if enabled via the
> >  	  "winbind normalize names" and "winbind nss info"
> >  	  parameters in smb.conf.
> > 
> > +	  The module divides the range into subranges for each domain that is
> > being +	  handled by the idmap config.
> > +	  Each range has a size of roughly 525000 IDs (20 bit). This means
> > +	  that the range for multiple domains needs to be large enough! So a
> > good value +	  is normally '100000-4000000' or even bigger.
> 
> That's not the main point.
> It's not that you need a couple of those ranges of size ~ 525000
> in order to accomodate a few domains.  You need *them all*
> because each domain has a fixed absolute range associated to it
> by the hashing algorithm, and you don't know a priori which domain
> will come by...
> 
> So no, the above range is not normally a good value,
> since those almost 8 ranges out of the more than 4000
> ranges that exist, are likely not among those needed
> for the domains that enter the system...
> 
> (apart from this, the low id of 100000 seems to contradict your
> mention of 525000 above...)

You should look at patch version v4.

You said a domain needs 524288 ids for allocation. So 525000 is easier for a 
user, that's why I choose that. If the text is wrong, could you please suggest 
a text instead of letting me do the guesswork here?

> >  	</para>
> >  
> >  </refsynopsisdiv>
> > 
> > @@ -53,7 +58,7 @@
> > 
> >  	<programlisting>
> >  	[global]
> >  	idmap config * : backend = hash
> > 
> > -	idmap config * : range = 1000-4000000000
> > +	idmap config * : range = 100000-4000000000
> > 
> >  	winbind nss info = hash
> >  	winbind normalize names = yes
> 
> Again, this misses the main point, because the hash ranges
> are determined absolutely, and not relative to configured
> idmap ranges:
> 
> Yeah, it's right that a range this small can't even accomodate
> a single domain, but even if we are just big enough for one
> range, this is likely not an entire range (but starting in the
> middle of one range and ending in the middle of the next one),
> and even if one full range is included the likelyhood that
> it will be this one range that is used by the domain of users
> logging on to the samba server is extremely low...
> 
> I am really sorry to be coming across so negatively.
> I would like to have a better answer, but currently
> I only know what is NOT sufficient or completely good... :-/


I don't see or understand where we are going here. I don't understand what you 
want.

If you do not want to change/fix the manpage or add a check in idmap_hash 
module itself then please tell me and I can stop wasting time on a patchset 
which is not accepted upstream.

If you want to fix the documentation please suggest a text for the manpage.


	Andreas


-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list