[Samba] Moving to AD for idmap backend
Rowland Penny
rpenny at samba.org
Mon Nov 28 19:35:47 UTC 2022
On 28/11/2022 19:14, Vaughan, Robert J via samba wrote:
>> The problem is that you shouldn't overlap domain ranges, which you are
>> going to have to and this will lead to a collision somewhere down the
>> line when a user or group is created at the same time as another and
>> they both get the same ID number (yes it will happen, it is not case of
>> if, it is when).
>
> Rowland, can you please expand on that? You must be talking about a Windows user or group (at the same time?)
>
> Is this because winbind must create a mapping for every user it sees in AD? Even those users who are not Samba users and do not have uid specified?
>
In AD, you can create users etc on any DC, so it is possible for
sysadminA to create a user on one DC and for sysadminB to create the
same user on another DC. This would lead to a collision, one would be
okay and the other would be marked as a collision. You would only get
one valid user.
When it comes to the rfc2307 attributes, the same scenario could occur,
but with different usernames and the same uidNumber. There is nothing to
check for this, so you could get different users with the same Unix ID.
If you use the 'rid' or 'autorid' idmap backends, this will never
happen, because with multiple domains the NetBIOS domain name is part of
the user or group name.
If you use the 'ad' backend, you could (and probably will) get
collisions at some point.
Rowland
More information about the samba
mailing list