[Samba] SID mapping: Samba and SSSD

Andrew Walker walker.aj325 at gmail.com
Thu Sep 3 19:01:49 UTC 2020


Whoops, fumbled my response a bit. slice size by default is 200,000, and to
clarify the SID passed into murmur3() is the domain SID, not SID of
individual user. Though, manpage for sssd-ad should be consulted for
precise details. My understanding though is as long as everything fits in
one slice, then you can just use RID. If you have multiple slices, you're
stuck with non-deterministic behavior from SSSD and so can continue to use
RID in winbind config. Although, I'm happy for someone to prove me wrong
(which is the way things usually happen when you open your mouth). :)

On Thu, Sep 3, 2020 at 2:55 PM Andrew Walker <walker.aj325 at gmail.com> wrote:

>
>
> On Thu, Sep 3, 2020 at 2:23 PM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
>> On 03/09/2020 19:19, Jeremy Allison wrote:
>> > On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote:
>> >> On 03/09/2020 18:04, Johan Hattne via samba wrote:
>> >>> Dear all;
>> >>>
>> >>> Would anybody be able to tell me what the idmap configuration is to
>> have
>> >>> Samba do the same SID-to-user/group mapping as the SSSD defaults?  I
>> was
>> >>> convinced I saw it on this list or the wiki not too long ago, but I
>> >>> cannot seem to find it.
>> >>>
>> >>> // Best wishes; Johan
>> >>>
>> >> If you mean the large numbers that sssd seems to use, then that is
>> probably
>> >> not possible with Samba. From my understanding, sssd uses an algorithm
>> that
>> >> uses a combination of the domain SID and the user/group RID to
>> calculate the
>> >> Unix ID, or it uses the RFC2307 attributes. Samba calculates from the
>> >> user/group RID + the lower range you set in smb.conf, or it uses the
>> RFC2307
>> >> attributes.
>> > Hmmm. Would it be useful to add an idmap backend
>> > that uses the same algorithm ?
>>
>> Please no, not another idmap backend, there are more than enough now ;-)
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> I could be wrong on this, but generally speaking, you can be compatible
> using idmap_rid if you set a low range identical to that of the low range
> in SSSD.
>
> SSSD determines low range for initial id slice using approximately the
> following algorithm IIRC:
> ```
> uint32_t hash_val = 0;
> int our_slice = 0;
> int max_slices = 10000;
> int final_value = 0;
> int slice_size = 20000
>
> hash_val = murmur3(sid_str, strlen(sid_str), 0xdeadbeef);
> our_slice = hash_val % max_slices;
> final_value = our_slice * slice_size +slice_size;
> ```
> This works for the first slice, but slices after that are
> non-deterministic.
>


More information about the samba mailing list