[Samba] Samba4 LDAP: how to write to idmap.ldb
mat at samba.org
Mon May 14 00:07:22 MDT 2012
On 05/13/2012 07:49 PM, Andrew Bartlett wrote:
> On Sun, 2012-05-13 at 10:40 -0700, Matthieu Patou wrote:
>> On 05/12/2012 11:30 PM, steve wrote:
>>> Hi everyone
>>> I can change a mapping in idmap.ldb according to the samba4 wiki:
>>> But if I delete an object via ldbmodify or ldbedit, it doesn't delete
>>> the entry in idmap.ldb. We have users who we deleted long ago still
>>> present there. Over a period of time, this could amount to a lot of
>>> wasted space.
>> No the space used in idmap for a user mapping is ridiculously small if
>> you don't have removed ~ 10 000 users it's not worth to worry about
>>> Would it be possible that samba-tool user delete<x> and samba-tool
>>> group delete<y> also delete the corresponding entry in idmap.ldb?
>> Yeah it could be file an request in bugzilla explaining this, it's an
>> enhancement and I think it has a pretty low priority.
>> In the same time you should ask also for an expunge command so that if
>> you removed the user/group from ADCU we could remove all inactive groups.
>> But that's very very very low priority to me but should be rather easy
>> to do.
> The reason not to do this at all is that just as the SID is never
> re-used, the UID should not be re-used.
The thing is that we keep track of the latest usn (at least in s4 idmap)
so even if we purge removed users we won't cycle on already affected
> Additionally, if that UID or SID were to be found on a file ACL, it is
> critically important that we continue to map it in the same way (as the
> acl_xattr check-hash on the SD for posix/NT consistency is done on the
> mapped-from-posix NT ACL).
Oh I didn't knew that.
More information about the samba