[Samba] Moving to AD for idmap backend

Rowland Penny rpenny at samba.org
Mon Nov 28 19:35:47 UTC 2022

On 28/11/2022 19:14, Vaughan, Robert J via samba wrote:
>> The problem is that you shouldn't overlap domain ranges, which you are
>> going to have to and this will lead to a collision somewhere down the
>> line when a user or group is created at the same time as another and
>> they both get the same ID number (yes it will happen, it is not case of
>> if, it is when).
> Rowland, can you please expand on that? You must be talking about a Windows user or group (at the same time?)
> Is this because winbind must create a mapping for every user it sees in AD?  Even those users who are not Samba users and do not have uid specified?

In AD, you can create users etc on any DC, so it is possible for 
sysadminA to create a user on one DC and for sysadminB to create the 
same user on another DC. This would lead to a collision, one would be 
okay and the other would be marked as a collision. You would only get 
one valid user.

When it comes to the rfc2307 attributes, the same scenario could occur, 
but with different usernames and the same uidNumber. There is nothing to 
check for this, so you could get different users with the same Unix ID.

If you use the 'rid' or 'autorid' idmap backends, this will never 
happen, because with multiple domains the NetBIOS domain name is part of 
the user or group name.

If you use the 'ad' backend, you could (and probably will) get 
collisions at some point.


More information about the samba mailing list