[Samba] Man page for idmap_rid

Michael Adam obnox at samba.org
Wed Aug 10 12:22:17 UTC 2016 

On 2016-08-09 at 15:05 -0300, francis picabia wrote:
> On Tue, Aug 9, 2016 at 2:48 PM, Michael Adam <obnox at samba.org> wrote:
> >
> > Why are you so keen on starting a range directly above the
> > smallest used id number from the files?
> >
> 
> I'd like to see it documented in plain terms, not formula where
> few people know what "rid in sid" means.  It seems to me if
> it were documented for the type security = ads case for
> Linux, this would be a template to start with, and not
> looking for magic values as many users have come to
> rely on (see the Samba and Debian bug reports for people
> who think the range beginning at 1000 was some magic solution).
> 
> Look, you get into your car, and do you look at an RPM value
> and gear indicator, compute the tire size P215R16
> and figure out the speed?  No, there is a calibrated instrument for it.

That comparison is invalid, imho: What you as an administrator
of a Samba installation are doing is providing such a smooth
experience for the car drivers. Imagine you, the admin, as
someone who assembles that car from pre-manufactured pieces
that need to be adapted and put together appropriately.
Some of these parts are very general and can be adapted for
many different kinds of cars. So you have to be knowledgeable
in adapting the part to the circumstances.

Likewise Samba is a very flexible tool.
You can adapt it to many special circumstances.
Hence you as the admnistrator need to have a good
amount of understanding of how it works and fits
together. It is this understanding that I was trying
to increase with my first explanation which you
found to analytical.

I am all in for keeping things simple and automatic,
but given the versatility of use cases, especially
id-mapping setup is currently not that automatic in Samba.

If you find it too cumbersome and don't want to dig
that deeply into ad-integration and id-mapping, then
you could consider some of the appliances out there.
There are systems that have put Samba into into a much
more narrow set of use-cases, providing easy guis for
their supported setups, so you don't need to bother
about all the details below.

> Well, what is sitting in front of us, a frigging computer!
> 
> Why can't samba/winbind look at nsswitch, determine there is
> nothing like NIS and LDAP, lookup the UID values in /etc/passwd,
> and make ranges on the fly?  The end user does not care
> what their values are - they only want "Map Network Drive"
> to work and get something done.

The end user will never see it or care.
But the admin who sets up the server will have to!

Sure, samba could try to be clever and
automagically come up with something.
And it would even work in many cases.
But it will also break quite some.

> > > Now testparam reports:
> > >
> > > # testparm /etc/samba/smb.conf
> > > Load smb config files from /etc/samba/smb.conf
> > > Processing section "[homes]"
> > > Loaded services file OK.
> > > Server role: ROLE_DOMAIN_MEMBER
> > >
> > > Press enter to see a dump of your service definitions
> > >
> > > # Global parameters
> > > [global]
> > >         workgroup = MYDOM
> > >         realm = AD.MYDOM.CA
> > >         server string = Debian2 Server
> > >         security = ADS
> > >         log file = /var/log/samba/%m.log
> > >         max log size = 50
> > >         unix extensions = No
> > >         load printers = No
> > >         printcap name = /dev/null
> > >         disable spoolss = Yes
> > >         dns proxy = No
> > >         winbind use default domain = Yes
> >
> > Recommendation: avoid this by all means if possible.
> > It typically only creates problems by introducing
> > abiguity.
> >
> 
> Avoid the use of the * plus domain name?

Er ... Avoid using 'winbind use default domain = Yes'.


> > >         idmap config mydom : range = 100001-110000
> > >         idmap config mydom : backend = rid
> > >         idmap config *:range = 65535-100000
> > >         idmap config * : backend = tbd
> >
> > Typo in the config? tdb <--> tbd ?
> 
> I've tried with only the rid backend and always the same behaviour.

you need the * config.
But you have a typo in your backend spelling.
It has to be 'tdb', not tbd' ....

> It is a documented bug.

What is a documented bug?
Up to now, I think I have only seen expected
behavior in your descriptions.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20160810/78a1cc6a/signature.sig>

More information about the samba mailing list