[Samba] Problem with AD & idmap
Adam Thorn
alt36 at cam.ac.uk
Thu Mar 3 20:01:33 UTC 2022
On 03/03/2022 14:16, Rowland Penny via samba wrote:
>> One might also have systemd services that make use of "Dynamic
>> Users":
>>
>> https://0pointer.net/blog/dynamic-users-with-systemd.html
>>
>> systemd expects to be able to use UIDs in the range 61184–65519
>
> Why, that is a valid Unix ID range
I quote: "That's because distributions (specifically Fedora) tend to
allocate regular users from below the 60000 range, and we don't want to
step into that. ... Finally, we want to stay within the 16bit range"
>> and I
>> don't believe that's configurable.
>
> Why not ?
You'd have to ask the systemd authors! ("And before you ask: no this
range cannot be changed right now, it's compiled in. We might change
that eventually however." My meaning of "configurable" excludes "modify
the source and recompile")
>> Whilst it's OK to use some UIDs in
>> that range because (quoting from the above link)...
>>
>> "You might wonder what happens if you already used UIDs from the
>> 61184–65519 range on your system for other purposes. systemd should
>> handle that mostly fine, as long as that usage is properly registered
>> in
>> the user database: when allocating a dynamic user we pick a UID, see
>> if
>> it is currently used somehow, and if yes pick a different one, until
>> we
>> find a free one. Whether a UID is used right now or not is checked
>> through NSS calls"
>
> And that is going to slow things down.
https://github.com/systemd/systemd/blob/main/src/core/dynamic-user.c#L179 looks
like the relevant bit of code (based purely on a quick grep; I have zero
familiarity with the code base). I was wrong: it'll try up to 100 UIDs
in that range chosen mainly at random and then give up if they're all in
use. I suspect that means that users with DynamicUser systemd services
really should treat UIDs 61184-65519 as out-of-bounds if possible.
A quick check on my Ubuntu Focal and Debian Bullseye servers finds
almost no systemd services that use DynamicUsers, but the functionality
is nonetheless there and others may have services installed that I do not!
Adam
More information about the samba
mailing list