[Samba] Man page for idmap_rid
francis picabia
fpicabia at gmail.com
Tue Aug 9 12:37:13 UTC 2016
On Mon, Aug 8, 2016 at 5:06 PM, Michael Adam <obnox at samba.org> wrote:
> On 2016-08-08 at 16:31 -0300, francis picabia wrote:
> > I'm reading the man page for idmap_rid over and over and I can't
> understand
> > it. I think it needs a rewrite so a normal user can understand. Using a
> > practical example.
>
> I admit it is a little terse.
> But in principle, assuming a little bit of
> general knowledge about how idmap backends are configured
> (see man smb.conf), it's all there.
>
> Before proposing a patch that will elaborate the manpage
> a bit, let me explain here:
>
> > Step 1: determine the highest UID in use for your /etc/passwd file
> > (can we assume everyone has a passwd file?)
> > Step 2: I don't know...
> >
> > Optionally at this point, document how to plug that into the formula
> >
> > RID = ID + BASE_RID - LOW_RANGE_ID
> >
> > and then show how we set the lines:
> >
> > range = low - high
>
> This 'low' here is the LOW_RANGE_ID referenced above
> in the formula. More concretely, this config would be
>
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = low-high
>
> > base_rid = INTEGER
>
> My suggestion: Forget about the 'base_rid' value. This optional parameter
> is only needed for corner cases, where you are very limited in the amount
> of unix ids available. It allows you to filter out the lower part of the
> rids in your domain. I have never seen it used. (i.e. use the default
> value of 0.)
>
> > The man page examples do not line up with any numbers practical outside
> of
> > smb.conf
>
> So in order to decribe how the rid module works for a given
> config, you need to describe how unix-id-->sid and sid-->unix-id
> mappings are calculated. The manpage offers this:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> THE MAPPING FORMULAS
> The Unix ID for a RID is calculated this way:
>
> ID = RID - BASE_RID + LOW_RANGE_ID.
>
> Correspondingly, the formula for calculating the RID
> for a given Unix ID is this:
>
> RID = ID + BASE_RID - LOW_RANGE_ID.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> As said above, here LOW_RANGE_ID is the id that is the lower
> number of the configured range. Now for the sake of simplicity,
> say that we did not configure the base rid, so BASE_RID is 0 in
> the above formulas and they simplify to:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ID = RID + LOW_RANGE_ID
> RID = ID - LOW_RANGE_ID
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> More concretely, assume that you have a domain MYDOM
> and a config
>
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 100000-200000
>
> Now calculate a few examples:
>
> - The administrator of MYDOM has rid=500 (the admin
> of each domain has). So it's unix ID would be
>
> 500 + 100000 = 100500
>
> - The Domain Users group has rid 513.
> So the associated unix group id would be
>
> 513 + 100000 = 100513
>
> - A Unix group of GID = 100512 would
> map to the SID with the rid of
>
> 100512 - 100000 = 512
>
> i.e. the domain admins group.
>
> - A unix user of UID = 123456 would be associated
> to a sid with the rid of
>
> 123456 - 10000 = 23456
>
> - A unix ID of 200001 would be bigger than
> the high id of the range and hence NOT be
> treated by this idmap module.
>
> - A SID with a rid of 100001 would be calculated
> to yield a unix id of
>
> 100001 + 100000 = 200001
>
> but this is bigger than the high upper limit of
> the configured range, hence the sid would be
> 'filtered', i.e. this object would not be mapped.
>
> Do these examples make it more clear?
>
> The low id of the range determines where the unix IDs of
> your domain will start, and the high id of the range
> determines how big the rids can get. More concretely,
> the largest mapped rid would be
>
> high id - low id
>
>
> > Say my UID on the Linux side would never exceed 70000. How do
> > I configure range and base_rid?
>
> The only important thing here is that the low id in the range is
> LARGER than the largest unix id used otherwise in your system.
> (That does not only mean passwd or group file, but also other
> possible nsswitch sources like ldap or nis...)
> So if you know you won't have unix user or group ids above 10000,
> then you could start your idmap rid range at 10001; this would
> be the lowes possible start of a range. But you could as
> well start it at 20000 or 100000 or 1000000. And so on.
>
> Also note that all other idmap ranges you configure must
> be disjoint from this idmap range. More generally, all
> configured idmap ranges must be mutually disjoint.
>
> See the example in the manpage for complete example
> idmap configs.
>
> Hope this helps at least a bit..
>
>
Thanks for the detailed response.
It is very extensive for my purposes, but it still feels over analytical for
what we need. I believe the Unix UID doesn't exceed 65534.
If this is a constant, why don't we just produce an example for that?
Out of the box, this is what many users will want to use.
I don't understand when we want values to never overlap and when
we want them to be in a matching range.
I would think this setting would work for everyone not using NIS or LDAP in
nsswitch:
idmap config *:backend = tdb
idmap config *:range = 100001-110000
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 65535-100000
I've set that and restarted nmbd, smbd and winbind services
When I do a wbinfo look up on my user with a UID of 1000, it has this:
theusername:*:16777216:16777220:The
Username:/home/MYDOM/theusername:/bin/false
Is this set up well or do I want the upper range to overlap with 16777216?
More information about the samba
mailing list