[Samba] Man page for idmap_rid
Shash Chatterjee
shash.chatterjee at aol.com
Tue Aug 9 14:26:01 UTC 2016
I can't add anything useful to the ID mapping discussion, but 65,535 is a very well known number to those of us that started in bits and bytes of embedded systems and assemblers. 65,535 is the largest unsigned integer in a 16-bit system, which is where UNIX started (mostly). They used (int) 0-65,534 as the valid user IDs, and "(unsigned int)-1", which is (int)65,535, as a check for invalid user ID.
> On Aug 9, 2016, at 8:21 AM, Rowland Penny <rpenny at samba.org> wrote:
>
> On Tue, 9 Aug 2016 09:37:13 -0300
> francis picabia <fpicabia at gmail.com> wrote:
>
>> Thanks for the detailed response.
>>
>> It is very extensive for my purposes, but it still feels over
>> analytical for what we need. I believe the Unix UID doesn't exceed
>> 65534. If this is a constant, why don't we just produce an example
>> for that? Out of the box, this is what many users will want to use.
>>
>> I don't understand when we want values to never overlap and when
>> we want them to be in a matching range.
>>
>> I would think this setting would work for everyone not using NIS or
>> LDAP in nsswitch:
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 100001-110000
>> idmap config MYDOM : backend = rid
>> idmap config MYDOM : range = 65535-100000
>
> The only problem with that is, what happens if you do manage to get to
> user '100001' in 'MYDOM' ?
>
> This would probably be better:
> idmap config *:backend = tdb
> idmap config *:range = 65535-100000
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 100001-110000
>
> This way, if you ever get to 'MYDOM' user '110001', you can just extend
> the range in smb.conf.
>
> However, a better way would be to find out who set nobody/nogroup to
> '65534' (there was probably a logical reason at the time it was set)
> and get it changed to '499' or whatever. Anybody know who to contact ?
>
>>
>> I've set that and restarted nmbd, smbd and winbind services
>>
>> When I do a wbinfo look up on my user with a UID of 1000, it has this:
>>
>> theusername:*:16777216:16777220:The
>> Username:/home/MYDOM/theusername:/bin/false
>
> Those numbers look suspiciously like what I used to get out of sssd,
> are you also running this ?
>
>>
>> Is this set up well or do I want the upper range to overlap with
>> 16777216?
>
> You cannot have ranges that overlap, if you had something like this:
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-10000
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 9000-11000
>
> Now, there are two users with the RIDs 9999 and 2999, the first is a
> member of the '*' domain and the second is a member of 'MYDOM' domain
>
> As the algorithm to calculate the Unix ID is this:
>
> ID = RID + LOW_RANGE_ID
>
> We get two calculations
>
> 9999 + 2000 = ID
>
> 2999 + 9000 = ID
>
> ID in both cases will be '11999' so how is Unix to know which user is
> which ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list