[Samba] Forests, Domain Trusts, idmap (an idea for S4)

Trever L. Adams trever.adams at gmail.com
Sat May 1 19:15:54 MDT 2010

Hello all,

I have largely only used samba in my home.  I have several large
projects I see coming for me that require domain trusts, forests and
Samba 4.

As I have been reading up on Samba 4, I have found several things people
have mentioned that are being worked on or need to be worked on. One of
which is uid/gid <-> rid mapping and work for inter-domain trusts. I
think I may have found a solution. I do not know if it will work in
Forests, nor do I know how cleanly it can be implemented.

As I understand it, for domain trusts (at least out of a forest), you
must have a user in each domain that is the trust user. We use the
uid/gid in RFC2307 or SFU to store some magic values.

Each domain is then free to have user/group ids in the (based on Samba
3.3.0 release notes) in bits 0-19 based on whatever algorithm they
chose. 20-30 are locally a hash of the domain SID. The uid in the trust
user becomes the the domain SID hash (20-30) with the rest of the bits
0. If there is a collision between SID hashes, then we locally store a
free hash (+1 from the collision until we find a free one, making sure
to stay only in bits 20-30). We then mask any uid/gid information
returned by the trusted domain and or it with our local version of the
trusted domain's SID hash, giving us a stable UID/GID which is
guaranteed unique.

On replicating/adding a new user, we check the uid/gid, if empty, we set
it based on idhash_map's idea of what it should be, of course +1 until
we have a free hash, staying in bits 0-19 only for the +1. This likely
will require some hooks or other things in replication code. Or, for
those who hate the hash way, simply find highest value and add 1 until
we find a free hash.

Now, I said gid of trust user for trusted domain would be used for some
magic. If people know how many domains they will trust (as an upper
bound), you can use GID for a mask for the domain part. Each trust
user/trusted domain would have to have the same GID, since they would
all have to be masked the same. The uid would then, on replication/new
user, would have to be within whatever 0 part of the mask. Of course,
this requires manual setting of the UID for the trust user.

You could combine the two so that the hash version described here would
have selectable bits for (or number of maximum trusted domains in power
of two or progmatically handled) which would adjust automatically so the
user hash would take up all but the domain SID hash part (which would be
no more than 10 bits and no less than 4). So, User RID hash would be
bits 0-19 on up to 0-26. This would require agreement on # of bits used
for SID part of the hash between domains (human decisions), but that is
rather simple, I think.

If we did the paragraph above, the gid would not be magic on trust
users. Only the uid. Or, vice versa. It would store only the domain SID
hash part of the full user id, and mixed with the bit count, would
function as a masking and oring to make the full user id that we can
trust as non-colliding.

Pardon me, please, if my idea above is foolish or naive. I have just
been thinking about it a few days and am completely unfamiliar with the
samba code base. One question which I haven't answered is why store the
uid/gid in AD instead of just compute like idmap_hash, the answer is it
allows us to deal with collisions, both in the rid and sid part of the
hash. I think it may also make all of the normal
authentication/identification stuff go a bit faster, but I could be wrong.

Thank you,
Trever Adams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100501/c7641282/attachment.pgp>

More information about the samba mailing list