[Samba] SID mapping: Samba and SSSD

[Andrew Walker]

On Thu, Sep 3, 2020 at 2:23 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 03/09/2020 19:19, Jeremy Allison wrote:
> > On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote:
> >> On 03/09/2020 18:04, Johan Hattne via samba wrote:
> >>> Dear all;
> >>>
> >>> Would anybody be able to tell me what the idmap configuration is to
> have
> >>> Samba do the same SID-to-user/group mapping as the SSSD defaults?  I
> was
> >>> convinced I saw it on this list or the wiki not too long ago, but I
> >>> cannot seem to find it.
> >>>
> >>> // Best wishes; Johan
> >>>
> >> If you mean the large numbers that sssd seems to use, then that is
> probably
> >> not possible with Samba. From my understanding, sssd uses an algorithm
> that
> >> uses a combination of the domain SID and the user/group RID to
> calculate the
> >> Unix ID, or it uses the RFC2307 attributes. Samba calculates from the
> >> user/group RID + the lower range you set in smb.conf, or it uses the
> RFC2307
> >> attributes.
> > Hmmm. Would it be useful to add an idmap backend
> > that uses the same algorithm ?
>
> Please no, not another idmap backend, there are more than enough now ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


I could be wrong on this, but generally speaking, you can be compatible
using idmap_rid if you set a low range identical to that of the low range
in SSSD.

SSSD determines low range for initial id slice using approximately the
following algorithm IIRC:
```
uint32_t hash_val = 0;
int our_slice = 0;
int max_slices = 10000;
int final_value = 0;
int slice_size = 20000

hash_val = murmur3(sid_str, strlen(sid_str), 0xdeadbeef);
our_slice = hash_val % max_slices;
final_value = our_slice * slice_size +slice_size;
```
This works for the first slice, but slices after that are non-deterministic.