samba - Sep 2020 - SID mapping: Samba and SSSD

On Thu, Sep 3, 2020 at 2:23 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 03/09/2020 19:19, Jeremy Allison wrote:
> > On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba
wrote:
> >> On 03/09/2020 18:04, Johan Hattne via samba wrote:
> >>> Dear all;
> >>>
> >>> Would anybody be able to tell me what the idmap configuration
is to
> have
> >>> Samba do the same SID-to-user/group mapping as the SSSD
defaults?  I
> was
> >>> convinced I saw it on this list or the wiki not too long ago,
but I
> >>> cannot seem to find it.
> >>>
> >>> // Best wishes; Johan
> >>>
> >> If you mean the large numbers that sssd seems to use, then that is
> probably
> >> not possible with Samba. From my understanding, sssd uses an
algorithm
> that
> >> uses a combination of the domain SID and the user/group RID to
> calculate the
> >> Unix ID, or it uses the RFC2307 attributes. Samba calculates from
the
> >> user/group RID + the lower range you set in smb.conf, or it uses
the
> RFC2307
> >> attributes.
> > Hmmm. Would it be useful to add an idmap backend
> > that uses the same algorithm ?
>
> Please no, not another idmap backend, there are more than enough now ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I could be wrong on this, but generally speaking, you can be compatible
using idmap_rid if you set a low range identical to that of the low range
in SSSD.

SSSD determines low range for initial id slice using approximately the
following algorithm IIRC:
```
uint32_t hash_val = 0;
int our_slice = 0;
int max_slices = 10000;
int final_value = 0;
int slice_size = 20000

hash_val = murmur3(sid_str, strlen(sid_str), 0xdeadbeef);
our_slice = hash_val % max_slices;
final_value = our_slice * slice_size +slice_size;
```
This works for the first slice, but slices after that are non-deterministic.

Whoops, fumbled my response a bit. slice size by default is 200,000, and to
clarify the SID passed into murmur3() is the domain SID, not SID of
individual user. Though, manpage for sssd-ad should be consulted for
precise details. My understanding though is as long as everything fits in
one slice, then you can just use RID. If you have multiple slices, you're
stuck with non-deterministic behavior from SSSD and so can continue to use
RID in winbind config. Although, I'm happy for someone to prove me wrong
(which is the way things usually happen when you open your mouth). :)

On Thu, Sep 3, 2020 at 2:55 PM Andrew Walker <walker.aj325 at gmail.com>
wrote:
>
>
> On Thu, Sep 3, 2020 at 2:23 PM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
>> On 03/09/2020 19:19, Jeremy Allison wrote:
>> > On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba
wrote:
>> >> On 03/09/2020 18:04, Johan Hattne via samba wrote:
>> >>> Dear all;
>> >>>
>> >>> Would anybody be able to tell me what the idmap
configuration is to
>> have
>> >>> Samba do the same SID-to-user/group mapping as the SSSD
defaults?  I
>> was
>> >>> convinced I saw it on this list or the wiki not too long
ago, but I
>> >>> cannot seem to find it.
>> >>>
>> >>> // Best wishes; Johan
>> >>>
>> >> If you mean the large numbers that sssd seems to use, then
that is
>> probably
>> >> not possible with Samba. From my understanding, sssd uses an
algorithm
>> that
>> >> uses a combination of the domain SID and the user/group RID to
>> calculate the
>> >> Unix ID, or it uses the RFC2307 attributes. Samba calculates
from the
>> >> user/group RID + the lower range you set in smb.conf, or it
uses the
>> RFC2307
>> >> attributes.
>> > Hmmm. Would it be useful to add an idmap backend
>> > that uses the same algorithm ?
>>
>> Please no, not another idmap backend, there are more than enough now
;-)
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> I could be wrong on this, but generally speaking, you can be compatible
> using idmap_rid if you set a low range identical to that of the low range
> in SSSD.
>
> SSSD determines low range for initial id slice using approximately the
> following algorithm IIRC:
> ```
> uint32_t hash_val = 0;
> int our_slice = 0;
> int max_slices = 10000;
> int final_value = 0;
> int slice_size = 20000
>
> hash_val = murmur3(sid_str, strlen(sid_str), 0xdeadbeef);
> our_slice = hash_val % max_slices;
> final_value = our_slice * slice_size +slice_size;
> ```
> This works for the first slice, but slices after that are
> non-deterministic.
>

On 03/09/2020 20:01, Andrew Walker wrote:
> Whoops, fumbled my response a bit. slice size by default is 200,000, 
> and to clarify the SID passed into murmur3() is the domain SID, not 
> SID?of individual user. Though, manpage for sssd-ad should be 
> consulted for precise details. My understanding though is as long as 
> everything fits in one slice, then you can just use RID. If you have 
> multiple slices, you're stuck with?non-deterministic behavior from 
> SSSD and so can continue to use RID in winbind config. Although, I'm 
> happy for someone to prove me wrong (which is the way things usually 
> happen when you open your mouth). :)
I don't think this is going to work, from my understanding sssd 
calculates the Unix ID from the SID and the result may not be 
deterministic and there is is certainly no way that you could reproduce 
this with the winbind 'rid' backend.

Can we please forget that sssd exists ? It doesn't work with Samba any 
more (even red-hat admits that).

Rowland

On 9/3/20 2:55 PM, Andrew Walker via samba wrote:
> On Thu, Sep 3, 2020 at 2:23 PM Rowland penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On 03/09/2020 19:19, Jeremy Allison wrote:
>>> On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba
wrote:
>>>> On 03/09/2020 18:04, Johan Hattne via samba wrote:
>>>>> Dear all;
>>>>>
>>>>> Would anybody be able to tell me what the idmap
configuration is to
>> have
>>>>> Samba do the same SID-to-user/group mapping as the SSSD
defaults?  I
>> was
>>>>> convinced I saw it on this list or the wiki not too long
ago, but I
>>>>> cannot seem to find it.
>>>>>
>>>>> // Best wishes; Johan
>>>>>
>>>> If you mean the large numbers that sssd seems to use, then that
is
>> probably
>>>> not possible with Samba. From my understanding, sssd uses an
algorithm
>> that
>>>> uses a combination of the domain SID and the user/group RID to
>> calculate the
>>>> Unix ID, or it uses the RFC2307 attributes. Samba calculates
from the
>>>> user/group RID + the lower range you set in smb.conf, or it
uses the
>> RFC2307
>>>> attributes.
>>> Hmmm. Would it be useful to add an idmap backend
>>> that uses the same algorithm ?
>>
>> Please no, not another idmap backend, there are more than enough now
;-)
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> I could be wrong on this, but generally speaking, you can be compatible
> using idmap_rid if you set a low range identical to that of the low range
> in SSSD.
This is what I do, if the domain start using more than the slice size, 
there could be a problem because SSSD allows multiple slices. I haven't 
tested sssd-winbind-idmap yet I mentioned in another
response
> 
> SSSD determines low range for initial id slice using approximately the
> following algorithm IIRC:
> ```
> uint32_t hash_val = 0;
> int our_slice = 0;
> int max_slices = 10000;
> int final_value = 0;
> int slice_size = 20000
> 
> hash_val = murmur3(sid_str, strlen(sid_str), 0xdeadbeef);
> our_slice = hash_val % max_slices;
> final_value = our_slice * slice_size +slice_size;
> ```
> This works for the first slice, but slices after that are
non-deterministic.
>

On 03/09/2020 21:18, Robert Marcano via samba wrote:
> This is what I do, if the domain start using more than the slice size, 
> there could be a problem because SSSD allows multiple slices. I 
> haven't tested sssd-winbind-idmap yet I mentioned in another response
That is what was known as idmap-sss and relies on the winbind libs 
provided by sssd and is probably not compatible with Samba. I wouldn't 
use and as I said, red-hat doesn't support using sssd with Samba.

Rowland