[Samba] Problem with AD & idmap
rpenny at samba.org
Thu Mar 3 20:17:08 UTC 2022
On Thu, 2022-03-03 at 20:01 +0000, Adam Thorn via samba wrote:
> On 03/03/2022 14:16, Rowland Penny via samba wrote:
> > > One might also have systemd services that make use of "Dynamic
> > > Users":
> > >
> > > https://0pointer.net/blog/dynamic-users-with-systemd.html
> > >
> > > systemd expects to be able to use UIDs in the range 61184–65519
> > Why, that is a valid Unix ID range
> I quote: "That's because distributions (specifically Fedora) tend to
> allocate regular users from below the 60000 range, and we don't want
> step into that. ... Finally, we want to stay within the 16bit range"
Damn, I will have to turn of all my 64bit computers and go back to my
> > > and I
> > > don't believe that's configurable.
> > Why not ?
> You'd have to ask the systemd authors! ("And before you ask: no this
> range cannot be changed right now, it's compiled in. We might change
> that eventually however." My meaning of "configurable" excludes
> the source and recompile")
Or, you will do it our way.
> > > Whilst it's OK to use some UIDs in
> > > that range because (quoting from the above link)...
> > >
> > > "You might wonder what happens if you already used UIDs from the
> > > 61184–65519 range on your system for other purposes. systemd
> > > should
> > > handle that mostly fine, as long as that usage is properly
> > > registered
> > > in
> > > the user database: when allocating a dynamic user we pick a UID,
> > > see
> > > if
> > > it is currently used somehow, and if yes pick a different one,
> > > until
> > > we
> > > find a free one. Whether a UID is used right now or not is
> > > checked
> > > through NSS calls"
> > And that is going to slow things down.
> like the relevant bit of code (based purely on a quick grep; I have
> familiarity with the code base). I was wrong: it'll try up to 100
> in that range chosen mainly at random and then give up if they're all
> use. I suspect that means that users with DynamicUser systemd
> really should treat UIDs 61184-65519 as out-of-bounds if possible.
> A quick check on my Ubuntu Focal and Debian Bullseye servers finds
> almost no systemd services that use DynamicUsers, but the
> is nonetheless there and others may have services installed that I do
This could be because since the beginning of the EPOCH, Linux has
placed system users starting from 0 up to 200, which was first raised
to 500 and then 999. This means that this fine piece of programming is
actually looking for a use.
More information about the samba