Why is the 'sss' backend verboten as a default IDMAP backend?

[Richard Sharpe]

On Fri, Jul 14, 2017 at 3:16 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Fri, Jul 14, 2017 at 2:57 PM, Jeremy Allison <jra at samba.org> wrote:
>> On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-technical wrote:
>>> Hi folks,
>>>
>>> Just testing 4.7rc3 and ran into this problem:
>>>
>>> ERROR: Do not use the 'sss' backend as the default idmap backend!
>>>
>>> Why is that?
>>
>> git blame on testparm gives:
>>
>> $ git show 3de634d7a04f
>> commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
>> Author: Andreas Schneider <asn at samba.org>
>> Date:   Wed Dec 7 17:44:25 2016 +0100
>>
>>     s3-testparm: Print error if the default backend is incorrect
>>
>>     Signed-off-by: Andreas Schneider <asn at samba.org>
>>     Reviewed-by: Michael Adam <obnox at samba.org>
>>
>> That should help you look up the patch and discussion
>> on samba-technical archives.
>
> OK, so having read the discussion I guess the issues are:
>
> 1. Does sssd generate collision-free idmaps when the customer has
> multiple domains
> 2. Do we want to live dangerously.

I notice this in the change:

+ const char *default_backends[] = {
+                       "tdb", "tdb2", "ldap", "autorid", "hash"
+               };

That means that the code accepts the hash backend and I think sss uses
the same sort of scheme, so sss should be safe, it would seem.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)