[Samba] idmap_rid/idmap_hash collisions?
Gerald Carter
jerry at plainjoe.org
Wed Nov 11 06:52:28 MST 2009
Hey Nick,
Nick wrote:
> Is it possible for the uid/gid numbers that are generated by the
> idmap_rid and idmap_hash to collide if there are a large number of
> users or groups? I cannot seem to find any documentation on the
> limitations of these plugins. Before using I want to make absolutely
> sure that there won't be any collisions.
There is a small chance of collision based on the domain sid.
In testing the mean average was about40 trusted domains but I've
see it much lower on rare occasions. Also, if the highest RID
in your domain is > (as Volker points out) 2^19, the plugin will
suffer from integer overflow.
There's a slide or two outlining the algorithm in this slide deck
from LInuxWorld SF '08
http://archives.likewiseopen.org/~gcarter/presentations/likewise_open_first_class_citizen_lwsf08.pdf
> In doing some research about Likewise Open, I see it's hashing routine
> can have this problem:
>
> "If your Active Directory relative identifiers, or RIDs, are a number
> greater than 524,287, the Likewise Open algorithm that generates UIDs
> and GIDs can result in UID-GID collisions among users and groups. In
> such cases, it is recommended that you use Likewise Enterprise or that
> you use the Likewise UID-GID management tool."
>
> http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html#AboutLikewiseAgent
>
> I was somehow thinking that Likewise is based on Samba, although I
> don't remember where I heard that so it could be total BS.
The Likewise Identity 3.x and 4.x was based on winbindd. That's when
I wrote the original idmap_hash and pushed it upstream. The Likewise 5.x
code based moved to a new single process threaded authentication service
named lsassd, but still supports the hashing mechanism for unprovisioned
AD domains.
The "enterprise" version and the uid/gid management tool you
reference above just allow you to manually administer uid and gid
assignments in AD (that will be picked up by lsassd).
Does that help clarify?
cheers, jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20091111/325d4fda/attachment.pgp>
More information about the samba
mailing list