[Samba] Samba4 LDAP: how to write to idmap.ldb

Andrew Bartlett abartlet at samba.org
Sun May 13 20:49:16 MDT 2012

On Sun, 2012-05-13 at 10:40 -0700, Matthieu Patou wrote:
> On 05/12/2012 11:30 PM, steve wrote:
> > Hi everyone
> >
> > I can change a mapping in idmap.ldb according to the samba4 wiki:
> > https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro 
> >
> >
> > But if I delete an object via ldbmodify or ldbedit, it doesn't delete 
> > the entry in idmap.ldb. We have users who we deleted long ago still 
> > present there. Over a period of time, this could amount to a lot of 
> > wasted space.
> >
> No the space used in idmap for a user mapping is ridiculously small if 
> you don't have removed ~ 10 000 users it's not worth to worry about
> > Would it be possible that samba-tool user delete <x> and samba-tool 
> > group delete <y> also delete the corresponding entry in idmap.ldb?
> >
> Yeah it could be file an request in bugzilla explaining this, it's an 
> enhancement and I think it has a pretty low priority.
> In the same time you should ask also for an expunge command so that if 
> you removed the user/group from ADCU we could remove all inactive groups.
> But that's very very very low priority to me but should be rather easy 
> to do.

The reason not to do this at all is that just as the SID is never
re-used, the UID should not be re-used. 

Additionally, if that UID or SID were to be found on a file ACL, it is
critically important that we continue to map it in the same way (as the
acl_xattr check-hash on the SD for posix/NT consistency is done on the
mapped-from-posix NT ACL). 

I hope this clarifies things,

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list