On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote:> On 03/09/2020 18:04, Johan Hattne via samba wrote: > > Dear all; > > > > Would anybody be able to tell me what the idmap configuration is to have > > Samba do the same SID-to-user/group mapping as the SSSD defaults?? I was > > convinced I saw it on this list or the wiki not too long ago, but I > > cannot seem to find it. > > > > // Best wishes; Johan > > > If you mean the large numbers that sssd seems to use, then that is probably > not possible with Samba. From my understanding, sssd uses an algorithm that > uses a combination of the domain SID and the user/group RID to calculate the > Unix ID, or it uses the RFC2307 attributes. Samba calculates from the > user/group RID + the lower range you set in smb.conf, or it uses the RFC2307 > attributes.Hmmm. Would it be useful to add an idmap backend that uses the same algorithm ?
On 03/09/2020 19:19, Jeremy Allison wrote:> On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote: >> On 03/09/2020 18:04, Johan Hattne via samba wrote: >>> Dear all; >>> >>> Would anybody be able to tell me what the idmap configuration is to have >>> Samba do the same SID-to-user/group mapping as the SSSD defaults?? I was >>> convinced I saw it on this list or the wiki not too long ago, but I >>> cannot seem to find it. >>> >>> // Best wishes; Johan >>> >> If you mean the large numbers that sssd seems to use, then that is probably >> not possible with Samba. From my understanding, sssd uses an algorithm that >> uses a combination of the domain SID and the user/group RID to calculate the >> Unix ID, or it uses the RFC2307 attributes. Samba calculates from the >> user/group RID + the lower range you set in smb.conf, or it uses the RFC2307 >> attributes. > Hmmm. Would it be useful to add an idmap backend > that uses the same algorithm ?Please no, not another idmap backend, there are more than enough now ;-) Rowland
On Thu, Sep 3, 2020 at 2:23 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 03/09/2020 19:19, Jeremy Allison wrote: > > On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote: > >> On 03/09/2020 18:04, Johan Hattne via samba wrote: > >>> Dear all; > >>> > >>> Would anybody be able to tell me what the idmap configuration is to > have > >>> Samba do the same SID-to-user/group mapping as the SSSD defaults? I > was > >>> convinced I saw it on this list or the wiki not too long ago, but I > >>> cannot seem to find it. > >>> > >>> // Best wishes; Johan > >>> > >> If you mean the large numbers that sssd seems to use, then that is > probably > >> not possible with Samba. From my understanding, sssd uses an algorithm > that > >> uses a combination of the domain SID and the user/group RID to > calculate the > >> Unix ID, or it uses the RFC2307 attributes. Samba calculates from the > >> user/group RID + the lower range you set in smb.conf, or it uses the > RFC2307 > >> attributes. > > Hmmm. Would it be useful to add an idmap backend > > that uses the same algorithm ? > > Please no, not another idmap backend, there are more than enough now ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI could be wrong on this, but generally speaking, you can be compatible using idmap_rid if you set a low range identical to that of the low range in SSSD. SSSD determines low range for initial id slice using approximately the following algorithm IIRC: ``` uint32_t hash_val = 0; int our_slice = 0; int max_slices = 10000; int final_value = 0; int slice_size = 20000 hash_val = murmur3(sid_str, strlen(sid_str), 0xdeadbeef); our_slice = hash_val % max_slices; final_value = our_slice * slice_size +slice_size; ``` This works for the first slice, but slices after that are non-deterministic.
On 9/3/20 2:19 PM, Jeremy Allison via samba wrote:> On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote: >> On 03/09/2020 18:04, Johan Hattne via samba wrote: >>> Dear all; >>> >>> Would anybody be able to tell me what the idmap configuration is to have >>> Samba do the same SID-to-user/group mapping as the SSSD defaults?? I was >>> convinced I saw it on this list or the wiki not too long ago, but I >>> cannot seem to find it. >>> >>> // Best wishes; Johan >>> >> If you mean the large numbers that sssd seems to use, then that is probably >> not possible with Samba. From my understanding, sssd uses an algorithm that >> uses a combination of the domain SID and the user/group RID to calculate the >> Unix ID, or it uses the RFC2307 attributes. Samba calculates from the >> user/group RID + the lower range you set in smb.conf, or it uses the RFC2307 >> attributes. > > Hmmm. Would it be useful to add an idmap backend > that uses the same algorithm ? >There is an sssd provided idmapper (on RHEL/CentOS/Fedora) it is packaged as sssd-winbind-idmap. IIRC it doesn't reimplement the algorithm, just delegate to SSSD the mapping
On 03/09/2020 21:15, Robert Marcano via samba wrote:> > There is an sssd provided idmapper (on RHEL/CentOS/Fedora) it is > packaged as sssd-winbind-idmap. IIRC it doesn't reimplement the > algorithm, just delegate to SSSD the mapping >idmap-sss used to be in the Samba tree, but when it is was going to be removed, red-hat took it into their sssd tree. If you are using sssd with Samba >= 4.8.0 it is unsupported by red-hat and Samba. Rowland
On 03/09/2020 21:38, Robert Marcano wrote:> On 9/3/20 4:35 PM, Rowland penny via samba wrote: >> On 03/09/2020 21:15, Robert Marcano via samba wrote: >>> >>> There is an sssd provided idmapper (on RHEL/CentOS/Fedora) it is >>> packaged as sssd-winbind-idmap. IIRC it doesn't reimplement the >>> algorithm, just delegate to SSSD the mapping >>> >> idmap-sss used to be in the Samba tree, but when it is was going to >> be removed, red-hat took it into their sssd tree. >> >> If you are using sssd with Samba >= 4.8.0 it is unsupported by >> red-hat and Samba. >> >> Rowland >> >> >> > Continue saying you can't run latest Samba release all you wish, it > doesn't make it truth. I will continue helping the original post.I refer you to my other post Rowland Penny Samba team member
On Thu, Sep 3, 2020 at 4:45 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 03/09/2020 21:38, Robert Marcano wrote: > > On 9/3/20 4:35 PM, Rowland penny via samba wrote: > >> On 03/09/2020 21:15, Robert Marcano via samba wrote: > >>> > >>> There is an sssd provided idmapper (on RHEL/CentOS/Fedora) it is > >>> packaged as sssd-winbind-idmap. IIRC it doesn't reimplement the > >>> algorithm, just delegate to SSSD the mapping > >>> > >> idmap-sss used to be in the Samba tree, but when it is was going to > >> be removed, red-hat took it into their sssd tree. > >> > >> If you are using sssd with Samba >= 4.8.0 it is unsupported by > >> red-hat and Samba. > >> > >> Rowland > >> > >> > >> > > Continue saying you can't run latest Samba release all you wish, it > > doesn't make it truth. I will continue helping the original post. > > I refer you to my other post > > Rowland Penny > > Samba team member >This does make me wonder whether it would be worth adding an optional non-default parameter to idmap_autorid to have it use the sssd slicing algorithm to determine ranges. Sort of like SSSD has an autorid compatibility parameter.