[Samba] Man page for idmap_rid

Shash Chatterjee shash.chatterjee at aol.com
Tue Aug 9 14:26:01 UTC 2016 

I can't add anything useful to the ID mapping discussion, but 65,535 is a very well known number to those of us that started in bits and bytes of embedded systems and assemblers.  65,535 is the largest unsigned integer in a 16-bit system, which is where UNIX started (mostly).  They used (int) 0-65,534 as the valid user IDs, and "(unsigned int)-1", which is (int)65,535, as a check for invalid user ID.

> On Aug 9, 2016, at 8:21 AM, Rowland Penny <rpenny at samba.org> wrote:
> 
> On Tue, 9 Aug 2016 09:37:13 -0300
> francis picabia <fpicabia at gmail.com> wrote:
> 
>> Thanks for the detailed response.
>> 
>> It is very extensive for my purposes, but it still feels over
>> analytical for what we need.  I believe the Unix UID doesn't exceed
>> 65534. If this is a constant, why don't we just produce an example
>> for that? Out of the box, this is what many users will want to use.
>> 
>> I don't understand when we want values to never overlap and when
>> we want them to be in a matching range.
>> 
>> I would think this setting would work for everyone not using NIS or
>> LDAP in nsswitch:
>> 
>>   idmap config *:backend = tdb
>>   idmap config *:range = 100001-110000
>>   idmap config MYDOM : backend = rid
>>   idmap config MYDOM : range = 65535-100000
> 
> The only problem with that is, what happens if you do manage to get to
> user '100001' in 'MYDOM' ?
> 
> This would probably be better:
>   idmap config *:backend = tdb
>   idmap config *:range = 65535-100000
>   idmap config MYDOM : backend = rid
>   idmap config MYDOM : range = 100001-110000
> 
> This way, if you ever get to 'MYDOM' user '110001', you can just extend
> the range in smb.conf.
> 
> However, a better way would be to find out who set nobody/nogroup to
> '65534' (there was probably a logical reason at the time it was set)
> and get it changed to '499' or whatever. Anybody know who to contact ?
> 
>> 
>> I've set that and restarted nmbd, smbd and winbind services
>> 
>> When I do a wbinfo look up on my user with a UID of 1000, it has this:
>> 
>> theusername:*:16777216:16777220:The
>> Username:/home/MYDOM/theusername:/bin/false
> 
> Those numbers look suspiciously like what I used to get out of sssd,
> are you also running this ?
> 
>> 
>> Is this set up well or do I want the upper range to overlap with
>> 16777216?
> 
> You cannot have ranges that overlap, if you had something like this:
> 
>   idmap config *:backend = tdb
>   idmap config *:range = 2000-10000
>   idmap config MYDOM : backend = rid
>   idmap config MYDOM : range = 9000-11000
> 
> Now, there are two users with the RIDs 9999 and 2999, the first is a
> member of the '*' domain and the second is a member of 'MYDOM' domain
> 
> As the algorithm to calculate the Unix ID is this:
> 
> ID = RID + LOW_RANGE_ID
> 
> We get two calculations
> 
> 9999 + 2000 = ID
> 
> 2999 + 9000 = ID
> 
> ID in both cases will be '11999' so how is Unix to know which user is
> which ?
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list