A future module like idmap_hash or sssd? (was: Re: [PATCH] Check if the idmap_hash range is big enough)
Andrew Bartlett
abartlet at samba.org
Wed Mar 1 07:31:55 UTC 2017
On Sun, 2017-02-26 at 15:30 +0000, Rowland Penny wrote:
> On Sun, 26 Feb 2017 21:59:35 +1300
> Andrew Bartlett <abartlet at samba.org> wrote:
>
> >
> > I'm told that sssd has a scheme like idmap_hash that is less
> > offensive, is that the case, or is it just that it is outside Samba
> > so we don't hear about the problems?
> >
>
> There is this in 'man sssd-ad', under the heading 'Mapping Algorithm'
>
> The SID string is passed through the murmurhash3 algorithm to convert
> it to a 32-bit hashed value. We then take the modulus of this value
> with the total number of available slices to pick the slice.
>
> NOTE: It is possible to encounter collisions in the hash and
> subsequent
> modulus. In these situations, we will select the next available
> slice,
> but it may not be possible to reproduce the same exact set of slices
> on
> other machines (since the order that they are encountered will
> determine their slice). In this situation, it is recommended to
> either
> switch to using explicit POSIX attributes in Active Directory
> (disabling ID-mapping) or configure a default domain to guarantee
> that
> at least one is always consistent. See "Configuration" for details.
>
> So it looks like sssd has exactly the same problem as the one you are
> trying to avoid.
Yes and no.
To be clear:
My question wasn't if hashes have collisions, but if by storing data in
trustPosixOffset and uidNumber, and by avoiding values near 0, we could
sufficiently mitigate the risks seen in the 'no storage' idmap_hash
backend.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list