[Samba] Problem with AD & idmap

Adam Thorn alt36 at cam.ac.uk
Thu Mar 3 20:01:33 UTC 2022

On 03/03/2022 14:16, Rowland Penny via samba wrote:

>> One might also have systemd services that make use of "Dynamic
>> Users":
>> https://0pointer.net/blog/dynamic-users-with-systemd.html
>> systemd expects to be able to use UIDs in the range 61184–65519
> Why, that is a valid Unix ID range

I quote: "That's because distributions (specifically Fedora) tend to 
allocate regular users from below the 60000 range, and we don't want to 
step into that. ... Finally, we want to stay within the 16bit range"

>>   and I
>> don't believe that's configurable.
> Why not ?

You'd have to ask the systemd authors! ("And before you ask: no this 
range cannot be changed right now, it's compiled in. We might change 
that eventually however." My meaning of "configurable" excludes "modify 
the source and recompile")

>>   Whilst it's OK to use some UIDs in
>> that range because (quoting from the above link)...
>> "You might wonder what happens if you already used UIDs from the
>> 61184–65519 range on your system for other purposes. systemd should
>> handle that mostly fine, as long as that usage is properly registered
>> in
>> the user database: when allocating a dynamic user we pick a UID, see
>> if
>> it is currently used somehow, and if yes pick a different one, until
>> we
>> find a free one. Whether a UID is used right now or not is checked
>> through NSS calls"
> And that is going to slow things down.

https://github.com/systemd/systemd/blob/main/src/core/dynamic-user.c#L179 looks 
like the relevant bit of code (based purely on a quick grep; I have zero 
familiarity with the code base). I was wrong: it'll try up to 100 UIDs 
in that range chosen mainly at random and then give up if they're all in 
use. I suspect that means that users with DynamicUser systemd services 
really should treat UIDs 61184-65519 as out-of-bounds if possible.

A quick check on my Ubuntu Focal and Debian Bullseye servers finds 
almost no systemd services that use DynamicUsers, but the functionality 
is nonetheless there and others may have services installed that I do not!


More information about the samba mailing list