A future module like idmap_hash or sssd? (was: Re: [PATCH] Check if the idmap_hash range is big enough)

Rowland Penny repenny241155 at gmail.com
Sun Feb 26 15:30:22 UTC 2017


On Sun, 26 Feb 2017 21:59:35 +1300
Andrew Bartlett <abartlet at samba.org> wrote:

> 
> I'm told that sssd has a scheme like idmap_hash that is less
> offensive, is that the case, or is it just that it is outside Samba
> so we don't hear about the problems?
> 

There is this in 'man sssd-ad', under the heading 'Mapping Algorithm'

The SID string is passed through the murmurhash3 algorithm to convert it to a 32-bit hashed value. We then take the modulus of this value with the total number of available slices to pick the slice.

NOTE: It is possible to encounter collisions in the hash and subsequent
modulus. In these situations, we will select the next available slice,
but it may not be possible to reproduce the same exact set of slices on
other machines (since the order that they are encountered will
determine their slice). In this situation, it is recommended to either
switch to using explicit POSIX attributes in Active Directory
(disabling ID-mapping) or configure a default domain to guarantee that
at least one is always consistent. See "Configuration" for details. 

So it looks like sssd has exactly the same problem as the one you are
trying to avoid.

Rowland




More information about the samba-technical mailing list