[Samba] Samba4 LDAP: how to write to idmap.ldb

Matthieu Patou mat at samba.org
Mon May 14 00:07:22 MDT 2012

On 05/13/2012 07:49 PM, Andrew Bartlett wrote:
> On Sun, 2012-05-13 at 10:40 -0700, Matthieu Patou wrote:
>> On 05/12/2012 11:30 PM, steve wrote:
>>> Hi everyone
>>> I can change a mapping in idmap.ldb according to the samba4 wiki:
>>> https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro
>>> But if I delete an object via ldbmodify or ldbedit, it doesn't delete
>>> the entry in idmap.ldb. We have users who we deleted long ago still
>>> present there. Over a period of time, this could amount to a lot of
>>> wasted space.
>> No the space used in idmap for a user mapping is ridiculously small if
>> you don't have removed ~ 10 000 users it's not worth to worry about
>>> Would it be possible that samba-tool user delete<x>  and samba-tool
>>> group delete<y>  also delete the corresponding entry in idmap.ldb?
>> Yeah it could be file an request in bugzilla explaining this, it's an
>> enhancement and I think it has a pretty low priority.
>> In the same time you should ask also for an expunge command so that if
>> you removed the user/group from ADCU we could remove all inactive groups.
>> But that's very very very low priority to me but should be rather easy
>> to do.
> The reason not to do this at all is that just as the SID is never
> re-used, the UID should not be re-used.
The thing is that we keep track of the latest usn (at least in s4 idmap) 
so even if we purge removed users we won't cycle on already affected 

> Additionally, if that UID or SID were to be found on a file ACL, it is
> critically important that we continue to map it in the same way (as the
> acl_xattr check-hash on the SD for posix/NT consistency is done on the
> mapped-from-posix NT ACL).
Oh I didn't knew that.

Matthieu Patou
Samba Team

More information about the samba mailing list