[Samba] SID mapping: Samba and SSSD

Robert Marcano robert at marcanoonline.com
Thu Sep 3 20:18:06 UTC 2020 

On 9/3/20 2:55 PM, Andrew Walker via samba wrote:
> On Thu, Sep 3, 2020 at 2:23 PM Rowland penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On 03/09/2020 19:19, Jeremy Allison wrote:
>>> On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote:
>>>> On 03/09/2020 18:04, Johan Hattne via samba wrote:
>>>>> Dear all;
>>>>>
>>>>> Would anybody be able to tell me what the idmap configuration is to
>> have
>>>>> Samba do the same SID-to-user/group mapping as the SSSD defaults?  I
>> was
>>>>> convinced I saw it on this list or the wiki not too long ago, but I
>>>>> cannot seem to find it.
>>>>>
>>>>> // Best wishes; Johan
>>>>>
>>>> If you mean the large numbers that sssd seems to use, then that is
>> probably
>>>> not possible with Samba. From my understanding, sssd uses an algorithm
>> that
>>>> uses a combination of the domain SID and the user/group RID to
>> calculate the
>>>> Unix ID, or it uses the RFC2307 attributes. Samba calculates from the
>>>> user/group RID + the lower range you set in smb.conf, or it uses the
>> RFC2307
>>>> attributes.
>>> Hmmm. Would it be useful to add an idmap backend
>>> that uses the same algorithm ?
>>
>> Please no, not another idmap backend, there are more than enough now ;-)
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> I could be wrong on this, but generally speaking, you can be compatible
> using idmap_rid if you set a low range identical to that of the low range
> in SSSD.

This is what I do, if the domain start using more than the slice size, 
there could be a problem because SSSD allows multiple slices. I haven't 
tested sssd-winbind-idmap yet I mentioned in another response
> 
> SSSD determines low range for initial id slice using approximately the
> following algorithm IIRC:
> ```
> uint32_t hash_val = 0;
> int our_slice = 0;
> int max_slices = 10000;
> int final_value = 0;
> int slice_size = 20000
> 
> hash_val = murmur3(sid_str, strlen(sid_str), 0xdeadbeef);
> our_slice = hash_val % max_slices;
> final_value = our_slice * slice_size +slice_size;
> ```
> This works for the first slice, but slices after that are non-deterministic.
>

More information about the samba mailing list