[PATCH] Check if the idmap_hash range is big enough

Andreas Schneider asn at samba.org
Tue Feb 21 13:56:29 UTC 2017 

On Tuesday, 21 February 2017 10:16:21 CET Michael Adam wrote:
> Well. You want to change the manpage and testparm.
> I am reviewing your changes since I want the changes
> going in to be correct, and I want them to be an
> improvement over what we currently have...
> 
> What I personally want or would like to do myself is
> to remove the idmap_hash module altogether. But
> unfortunately that does not seem to be feasible,
> since it is used out there.

I've added a deprecation message to the init function. See attached patch.

> 
> > If you do not want to change/fix the manpage or add a check in idmap_hash
> > module itself then please tell me and I can stop wasting time on a
> > patchset
> > which is not accepted upstream.
> > 
> > If you want to fix the documentation please suggest a text for the
> > manpage.
> 
> Let me try to explain what the module does. This is not yet a
> polished text, but may serve as a basis:
> 
> =========================================================================
> The idmap_hash module calculates a Unix ID for a given SID as
> follows:
> 
> - Write the SID as DOMAINSID-RID.
> - The module calculates a 12-bit hash value of the DOMAINSID,
>   i.e. a value hash(DOMAINSID) between 0 and 4095.
> - The unix-ID for SID is then calculated as
> 
>     unix-id(SID) = hash(DOMAINSID) * 0x080000 + (RID % 0x080000)
> 
>   (Note 0x080000 == 524288 and 4095 == 0x0FFF.)
> 
> 
> Hence:
> 
> - Each domain has its predefined fixed range of
> 
>     hash(DOMAINSID)*0x080000 -- (hash(domainsid)*0x080000 + 524287)
> 
> - The overall required range to be able to map all SIDs is
> 
>     0 -- 4096 * 524288 - 1 = 2147483647
> 
> This leads to a few issues:
> 
> - Any range smaller than 0 - 2147483647 will filter some SIDs.
> - Since we can not start the range at 0, some SIDs can *never*
>   be mapped.
> - Some domain SIDs will be mapped to the same range.
> - RIDs will wrap around, i.e. DOMSID-RID and
>   DOMSID-(RID+524288) will be mapped to the same ID.
> 
> Hence the recommendation is:
> 
>    DO NOT USE THIS MODULE!
> 
> If you have to use it, then make the range as big as possible.
> I would say start as low as you can afford, i.e. 1000 or 10000.
> That way, you'll at least catch some IDs of those domains
> that are unfortunate enough to fall into hash value 0...
> (Note to Andreas: If you want to start at 520000 instead,
> completely filtering hash value 0 domains, that is a point of
> view as well, which comes closer to not using the module at all...)
> 
> All in all, I can only repeat:
> 
>    DO NOT USE THIS MODULE!

Here is a v5 of the patchset. I'm not sure we should outline so much things in 
the manpage for the user.


Please modify the manpage yourself if you want to give all the details or lets 
have a phone call and do it together.


I think we should at least fail to start if the user uses a range which is too 
small to map at least one domain. So he reads the manpage.



	Andreas


-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: idmap_hash_v5.patch
Type: text/x-patch
Size: 4347 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170221/19af1859/idmap_hash_v5.bin>

More information about the samba-technical mailing list