[Samba] Samba4 LDAP: how to write to idmap.ldb
abartlet at samba.org
Sun May 13 20:49:16 MDT 2012
On Sun, 2012-05-13 at 10:40 -0700, Matthieu Patou wrote:
> On 05/12/2012 11:30 PM, steve wrote:
> > Hi everyone
> > I can change a mapping in idmap.ldb according to the samba4 wiki:
> > https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro
> > But if I delete an object via ldbmodify or ldbedit, it doesn't delete
> > the entry in idmap.ldb. We have users who we deleted long ago still
> > present there. Over a period of time, this could amount to a lot of
> > wasted space.
> No the space used in idmap for a user mapping is ridiculously small if
> you don't have removed ~ 10 000 users it's not worth to worry about
> > Would it be possible that samba-tool user delete <x> and samba-tool
> > group delete <y> also delete the corresponding entry in idmap.ldb?
> Yeah it could be file an request in bugzilla explaining this, it's an
> enhancement and I think it has a pretty low priority.
> In the same time you should ask also for an expunge command so that if
> you removed the user/group from ADCU we could remove all inactive groups.
> But that's very very very low priority to me but should be rather easy
> to do.
The reason not to do this at all is that just as the SID is never
re-used, the UID should not be re-used.
Additionally, if that UID or SID were to be found on a file ACL, it is
critically important that we continue to map it in the same way (as the
acl_xattr check-hash on the SD for posix/NT consistency is done on the
mapped-from-posix NT ACL).
I hope this clarifies things,
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba