Drop NIS support

Ralph Boehme slow at samba.org
Thu Mar 25 17:35:56 UTC 2021 

Am 3/25/21 um 6:33 PM schrieb Rowland penny:
> Which part ?
> 
> 'DO NOT USE THIS MODULE!' which he says three times
> 
> Or:
> 
> What I personally want or would like to do myself is
> to remove the idmap_hash module altogether. But
> unfortunately that does not seem to be feasible,
> since it is used out there.
> 
> Or:

the part below. It explains the internals and warns to stay away from it 
which is as far as we should go at this point.

Thanks!

> 
> The idmap_hash module calculates a Unix ID for a given SID as
> follows:
> 
> - Write the SID as DOMAINSID-RID.
> - The module calculates a 12-bit hash value of the DOMAINSID,
>    i.e. a value hash(DOMAINSID) between 0 and 4095.
> - The unix-ID for SID is then calculated as
> 
>      unix-id(SID) = hash(DOMAINSID) * 0x080000 + (RID % 0x080000)
> 
>    (Note 0x080000 == 524288 and 4095 == 0x0FFF.)
> 
> 
> Hence:
> 
> - Each domain has its predefined fixed range of
> 
>      hash(DOMAINSID)*0x080000 -- (hash(domainsid)*0x080000 + 524287)
> 
> - The overall required range to be able to map all SIDs is
> 
>      0 -- 4096 * 524288 - 1 = 2147483647
> 
> This leads to a few issues:
> 
> - Any range smaller than 0 - 2147483647 will filter some SIDs.
> - Since we can not start the range at 0, some SIDs can *never*
>    be mapped.
> - Some domain SIDs will be mapped to the same range.
> - RIDs will wrap around, i.e. DOMSID-RID and
>    DOMSID-(RID+524288) will be mapped to the same ID.
> 
> Hence the recommendation is:
> 
>     DO NOT USE THIS MODULE!
> 
> If you have to use it, then make the range as big as possible.
> I would say start as low as you can afford, i.e. 1000 or 10000.
> That way, you'll at least catch some IDs of those domains
> that are unfortunate enough to fall into hash value 0...
> (Note to Andreas: If you want to start at 520000 instead,
> completely filtering hash value 0 domains, that is a point of
> view as well, which comes closer to not using the module at all...)
> 
> All in all, I can only repeat:
> 
>     DO NOT USE THIS MODULE!
> 
> Rowland
> 
> 


-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20210325/c7d885a7/OpenPGP_signature.sig>

More information about the samba-technical mailing list