[Samba] Problem with AD & idmap

Rowland Penny rpenny at samba.org
Thu Mar 3 20:17:08 UTC 2022 

On Thu, 2022-03-03 at 20:01 +0000, Adam Thorn via samba wrote:
> On 03/03/2022 14:16, Rowland Penny via samba wrote:
> 
> > > One might also have systemd services that make use of "Dynamic
> > > Users":
> > > 
> > > https://0pointer.net/blog/dynamic-users-with-systemd.html
> > > 
> > > systemd expects to be able to use UIDs in the range 61184–65519
> > 
> > Why, that is a valid Unix ID range
> 
> I quote: "That's because distributions (specifically Fedora) tend to 
> allocate regular users from below the 60000 range, and we don't want
> to 
> step into that. ... Finally, we want to stay within the 16bit range"

Damn, I will have to turn of all my 64bit computers and go back to my
i286 :-D

> 
> > >   and I
> > > don't believe that's configurable.
> > 
> > Why not ?
> 
> You'd have to ask the systemd authors! ("And before you ask: no this 
> range cannot be changed right now, it's compiled in. We might change 
> that eventually however." My meaning of "configurable" excludes
> "modify 
> the source and recompile")

Or, you will do it our way.

> 
> > >   Whilst it's OK to use some UIDs in
> > > that range because (quoting from the above link)...
> > > 
> > > "You might wonder what happens if you already used UIDs from the
> > > 61184–65519 range on your system for other purposes. systemd
> > > should
> > > handle that mostly fine, as long as that usage is properly
> > > registered
> > > in
> > > the user database: when allocating a dynamic user we pick a UID,
> > > see
> > > if
> > > it is currently used somehow, and if yes pick a different one,
> > > until
> > > we
> > > find a free one. Whether a UID is used right now or not is
> > > checked
> > > through NSS calls"
> > 
> > And that is going to slow things down.
> 
> https://github.com/systemd/systemd/blob/main/src/core/dynamic-user.c#L179
> looks 
> like the relevant bit of code (based purely on a quick grep; I have
> zero 
> familiarity with the code base). I was wrong: it'll try up to 100
> UIDs 
> in that range chosen mainly at random and then give up if they're all
> in 
> use. I suspect that means that users with DynamicUser systemd
> services 
> really should treat UIDs 61184-65519 as out-of-bounds if possible.
> 
> A quick check on my Ubuntu Focal and Debian Bullseye servers finds 
> almost no systemd services that use DynamicUsers, but the
> functionality 
> is nonetheless there and others may have services installed that I do
> not!

This could be because since the beginning of the EPOCH, Linux has
placed system users starting from 0 up to 200, which was first raised
to 500 and then 999. This means that this fine piece of programming is
actually looking for a use.

Rowland

More information about the samba mailing list