[Samba] Problem with AD & idmap

Rowland Penny rpenny at samba.org
Thu Mar 3 14:16:50 UTC 2022


On Thu, 2022-03-03 at 14:02 +0000, Adam Thorn via samba wrote:
> On 03/03/2022 13:22, L. van Belle via samba wrote:
> > And..  Small side note, this is different per distro.
> > 
> > cat /etc/adduser.conf |grep UID
> > 
> > # FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range
> > for UIDs
> > # package, may assume that UIDs less than 100 are unallocated.
> > FIRST_SYSTEM_UID=100
> > LAST_SYSTEM_UID=999
> > 
> > # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of
> > dynamically
> > FIRST_UID=1000
> > LAST_UID=29999
> > 
> > So, based on that, (*a Debian Buster server)..
> > 
> > Try to avoid these system ranges or at least think about these..
> 
> One might also have systemd services that make use of "Dynamic
> Users":
> 
> https://0pointer.net/blog/dynamic-users-with-systemd.html
> 
> systemd expects to be able to use UIDs in the range 61184–65519

Why, that is a valid Unix ID range

>  and I 
> don't believe that's configurable.

Why not ?

>  Whilst it's OK to use some UIDs in 
> that range because (quoting from the above link)...
> 
> "You might wonder what happens if you already used UIDs from the 
> 61184–65519 range on your system for other purposes. systemd should 
> handle that mostly fine, as long as that usage is properly registered
> in 
> the user database: when allocating a dynamic user we pick a UID, see
> if 
> it is currently used somehow, and if yes pick a different one, until
> we 
> find a free one. Whether a UID is used right now or not is checked 
> through NSS calls"

And that is going to slow things down.

> 
> ...if you were to assign most of that UID range to users which NSS
> will 
> say are in use, it might cause problems for your systemd services.

I have nothing personal against systemd, but only when it does what it
was supposed to do, be a replacement for sysv init, it has just got out
of hand now, thankfully most of the crap can be turned off.

Please don't try to 'educate' me, I will not believe you.

Rowland





More information about the samba mailing list