[PATCH] Check idmap config with testparm
Andreas Schneider
asn at samba.org
Thu Dec 8 08:52:34 UTC 2016
On Thursday, 8 December 2016 10:47:50 CET Alexander Bokovoy wrote:
> On to, 08 joulu 2016, Andreas Schneider wrote:
> > On Thursday, 8 December 2016 08:42:37 CET Michael Adam wrote:
> > > On 2016-12-07 at 18:43 +0100, Andreas Schneider wrote:
> > > > Hello,
> > > >
> > > > you might know I work for a Distributor and fix winbind issues there
> > > > every
> > > > day.
> > > > I see so many invalid idmap configurations, I think 70% of the configs
> > > > are
> > > > wrong or invalid.
> > > >
> > > > In addition our documentation for ID mapping really sucks!
> > >
> > > Hmm, I take this a little bit as a personal affront.
> > > Let me reply with a similar non-diplomatic statement:
> > >
> > >
> > > People should learn to read! :-)
> > >
> > >
> > > Have you read the section about "idmap config DOMAIN : OPTION" in
> > > "man smb.conf" and the backend specific manpages?
> > >
> > > Among other things, smb.conf clearly states:
> > > "The first three of these [idmap_tdb, idmap_tdb2, idmap_ldap]
> > > create mappings of their own using internal unixid counters and
> > > store the mappings in a database. These are suitable for use in
> > > the default idmap configuration."
> >
> > I do read those things but our customers don't. So should we abort if
> > something else than these backends are used for the default domain?
> >
> > Simply do not start winbind ...
> >
> > > As well as:
> > > "The configured ranges must be mutually disjoint."
> > >
> > > Also, for further examples, reading the manpages of idmap_rid,
> > >
> > > I see:
> > > "One usually needs to define a writeable default idmap range,
> > > using a backend like tdb or ldap that can create unix ids."
> > >
> > > Looking at idmap_ad:
> > > "the ad backend does not work as the default idmap backend, but
> > > one has to configure it separately for each domain for which
> > > one wants to use it, using disjoint ranges."
> > >
> > > Enough examples. The doc is cetainly not perfect, but
> > > saying it sucks just proves not having read it, imho.
> >
> > The issue is that often our users do not read manpages. They search the
> > web
> > and what they find there lacks good information explanations and examples.
> >
> > I know how to configure ID mapping, our customers don't and clearly do not
> > read the smb.conf manpage :(
> >
> >
> > This is not against you. It is also my fault that I didn't improve
> > documentation earlier. But if our customers do not understand it, it sucks
> > ;)
> >
> > So lets improve it :-)
>
> What about this patch: add a top level identity management section to
> smb.conf(5) so that we can gather references to other documentation we
> have around the idmap modules?
>
> The suggestion then would be 'read smb.conf(5), section on identity
> management, and all the references it contains'.
That looks good. I think somewhere we need an example of a default
configuration. Like
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 100000000-199999999
I think this is mostly used. I think this would help people to get started.
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list