Is it possible for the uid/gid numbers that are generated by the idmap_rid and idmap_hash to collide if there are a large number of users or groups? I cannot seem to find any documentation on the limitations of these plugins. Before using I want to make absolutely sure that there won't be any collisions. In doing some research about Likewise Open, I see it's hashing routine can have this problem: "If your Active Directory relative identifiers, or RIDs, are a number greater than 524,287, the Likewise Open algorithm that generates UIDs and GIDs can result in UID-GID collisions among users and groups. In such cases, it is recommended that you use Likewise Enterprise or that you use the Likewise UID-GID management tool." http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html#AboutLikewiseAgent I was somehow thinking that Likewise is based on Samba, although I don't remember where I heard that so it could be total BS. Does anyone know about the limitations of these idmap backends?
On Tue, Nov 10, 2009 at 06:34:13PM -0800, Nick wrote:> Is it possible for the uid/gid numbers that are generated by the > idmap_rid and idmap_hash to collide if there are a large number of > users or groups? I cannot seem to find any documentation on the > limitations of these plugins. Before using I want to make absolutely > sure that there won't be any collisions.With idmap_rid you have to take care of splicing up the rid space yourself. If you don't do that according to your domains, you get overlap. idmap_hash indeed will generate collisions if you have more than 2^19 (524287) object in a domain.> I was somehow thinking that Likewise is based on Samba, although I > don't remember where I heard that so it could be total BS.Likewise used to be based on Samba. It is not anymore. Please contact Likewise themselves for questions about their product. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20091111/ff10c486/attachment.pgp>
Hey Nick, Nick wrote:> Is it possible for the uid/gid numbers that are generated by the > idmap_rid and idmap_hash to collide if there are a large number of > users or groups? I cannot seem to find any documentation on the > limitations of these plugins. Before using I want to make absolutely > sure that there won't be any collisions.There is a small chance of collision based on the domain sid. In testing the mean average was about40 trusted domains but I've see it much lower on rare occasions. Also, if the highest RID in your domain is > (as Volker points out) 2^19, the plugin will suffer from integer overflow. There's a slide or two outlining the algorithm in this slide deck from LInuxWorld SF '08 http://archives.likewiseopen.org/~gcarter/presentations/likewise_open_first_class_citizen_lwsf08.pdf> In doing some research about Likewise Open, I see it's hashing routine > can have this problem: > > "If your Active Directory relative identifiers, or RIDs, are a number > greater than 524,287, the Likewise Open algorithm that generates UIDs > and GIDs can result in UID-GID collisions among users and groups. In > such cases, it is recommended that you use Likewise Enterprise or that > you use the Likewise UID-GID management tool." > > http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html#AboutLikewiseAgent > > I was somehow thinking that Likewise is based on Samba, although I > don't remember where I heard that so it could be total BS.The Likewise Identity 3.x and 4.x was based on winbindd. That's when I wrote the original idmap_hash and pushed it upstream. The Likewise 5.x code based moved to a new single process threaded authentication service named lsassd, but still supports the hashing mechanism for unprovisioned AD domains. The "enterprise" version and the uid/gid management tool you reference above just allow you to manually administer uid and gid assignments in AD (that will be picked up by lsassd). Does that help clarify? cheers, jerry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20091111/325d4fda/attachment.pgp>
On Wed, Nov 11, 2009 at 10:18 AM, Gerald Carter <jerry at plainjoe.org> wrote:> Robert LeBlanc wrote: > > > So if I understand right, hash does not hash the SID, it does the > > same as rid and takes the last section directly from the SID > > and uses that withou modification (rid adds that number to the > > lower range number). > > idmap_hash *does* the SID. > >That is what I initially thought. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University