Drop NIS support

Rowland penny rpenny at samba.org
Thu Mar 25 17:33:49 UTC 2021

On 25/03/2021 17:26, Ralph Boehme wrote:
> Am 3/24/21 um 11:19 PM schrieb Rowland penny:
>> You might want to read this thread from 2017:
>> https://lists.samba.org/archive/samba-technical/2017-February/118705.html 
> the stuff Michael said in
> <https://lists.samba.org/archive/samba-technical/2017-February/118808.html> 
> would be a great enhancement for the manpage.
> -slow

Which part ?

'DO NOT USE THIS MODULE!' which he says three times


What I personally want or would like to do myself is
to remove the idmap_hash module altogether. But
unfortunately that does not seem to be feasible,
since it is used out there.


The idmap_hash module calculates a Unix ID for a given SID as

- Write the SID as DOMAINSID-RID.
- The module calculates a 12-bit hash value of the DOMAINSID,
   i.e. a value hash(DOMAINSID) between 0 and 4095.
- The unix-ID for SID is then calculated as

     unix-id(SID) = hash(DOMAINSID) * 0x080000 + (RID % 0x080000)

   (Note 0x080000 == 524288 and 4095 == 0x0FFF.)


- Each domain has its predefined fixed range of

     hash(DOMAINSID)*0x080000 -- (hash(domainsid)*0x080000 + 524287)

- The overall required range to be able to map all SIDs is

     0 -- 4096 * 524288 - 1 = 2147483647

This leads to a few issues:

- Any range smaller than 0 - 2147483647 will filter some SIDs.
- Since we can not start the range at 0, some SIDs can *never*
   be mapped.
- Some domain SIDs will be mapped to the same range.
- RIDs will wrap around, i.e. DOMSID-RID and
   DOMSID-(RID+524288) will be mapped to the same ID.

Hence the recommendation is:


If you have to use it, then make the range as big as possible.
I would say start as low as you can afford, i.e. 1000 or 10000.
That way, you'll at least catch some IDs of those domains
that are unfortunate enough to fall into hash value 0...
(Note to Andreas: If you want to start at 520000 instead,
completely filtering hash value 0 domains, that is a point of
view as well, which comes closer to not using the module at all...)

All in all, I can only repeat:



More information about the samba-technical mailing list