On 03/09/2020 22:08, Jeremy Allison wrote:> On Thu, Sep 03, 2020 at 05:05:46PM -0400, Andrew Walker via samba wrote: >> On Thu, Sep 3, 2020 at 4:45 PM Rowland penny via samba < >> samba at lists.samba.org> wrote: >> >>> On 03/09/2020 21:38, Robert Marcano wrote: >>>> On 9/3/20 4:35 PM, Rowland penny via samba wrote: >>>>> On 03/09/2020 21:15, Robert Marcano via samba wrote: >>>>>> There is an sssd provided idmapper (on RHEL/CentOS/Fedora) it is >>>>>> packaged as sssd-winbind-idmap. IIRC it doesn't reimplement the >>>>>> algorithm, just delegate to SSSD the mapping >>>>>> >>>>> idmap-sss used to be in the Samba tree, but when it is was going to >>>>> be removed, red-hat took it into their sssd tree. >>>>> >>>>> If you are using sssd with Samba >= 4.8.0 it is unsupported by >>>>> red-hat and Samba. >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> Continue saying you can't run latest Samba release all you wish, it >>>> doesn't make it truth. I will continue helping the original post. >>> I refer you to my other post >>> >>> Rowland Penny >>> >>> Samba team member >>> >> This does make me wonder whether it would be worth adding an optional >> non-default parameter to idmap_autorid to have it use the sssd slicing >> algorithm to determine ranges. Sort of like SSSD has an autorid >> compatibility parameter. > Happy to review if you write it :-). Anything that > will remove friction moving to/from winbindd/sssd > would be good for users !And I will be happy to 'NACK' it, we do not need another idmap backend, well not unless it it is a total rewrite to give us something like how RID works on Windows and is the only idmap backend. There would be no friction if everyone would accept that using sssd with Samba is no longer supported by anyone. Red-Hat could make this more obvious by removing sssd-winbind-idmap, their documentation says it use isn't supported. Rowland
On Thu, Sep 03, 2020 at 10:20:09PM +0100, Rowland penny via samba wrote:> On 03/09/2020 22:08, Jeremy Allison wrote: > > Happy to review if you write it :-). Anything that > > will remove friction moving to/from winbindd/sssd > > would be good for users ! > > And I will be happy to 'NACK' it, we do not need another idmap backend, well > not unless it it is a total rewrite to give us something like how RID works > on Windows and is the only idmap backend. > > There would be no friction if everyone would accept that using sssd with > Samba is no longer supported by anyone. Red-Hat could make this more obvious > by removing sssd-winbind-idmap, their documentation says it use isn't > supported.I'm just trying to make users lives happier :-). Why do you hate happy users Rowland ? :-) :-). Seriously, people do need sometime to move to/from sssd/winbindd, and anything we can do to make that easier for them shouldn't be too controversial, so long as it's (a) optional and (b) not too ugly to live :-).
On Thu, Sep 03, 2020 at 10:20:09PM +0100, Rowland penny via samba wrote:> > Red-Hat could make this more obvious > by removing sssd-winbind-idmap, their documentation says it use isn't > supported.Actually on a more serious note, Red Hat could make the messaging around this a little clearer. How about it, Red Hat folks ?
On 9/3/20 4:36 PM, Jeremy Allison via samba wrote:> On Thu, Sep 03, 2020 at 10:20:09PM +0100, Rowland penny via samba wrote: >> >> Red-Hat could make this more obvious >> by removing sssd-winbind-idmap, their documentation says it use isn't >> supported. > > Actually on a more serious note, Red Hat could make the > messaging around this a little clearer. How about it, > Red Hat folks ? >Also, while that may all be well and true for Samba and sssd, they still push sssd as their preferred auth to AD mechanism. Which, might be how get into this pickle to being with. Or can be anyhow.
On Thu, Sep 3, 2020 at 5:20 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 03/09/2020 22:08, Jeremy Allison wrote: > > On Thu, Sep 03, 2020 at 05:05:46PM -0400, Andrew Walker via samba wrote: > >> On Thu, Sep 3, 2020 at 4:45 PM Rowland penny via samba < > >> samba at lists.samba.org> wrote: > >> > >>> On 03/09/2020 21:38, Robert Marcano wrote: > >>>> On 9/3/20 4:35 PM, Rowland penny via samba wrote: > >>>>> On 03/09/2020 21:15, Robert Marcano via samba wrote: > >>>>>> There is an sssd provided idmapper (on RHEL/CentOS/Fedora) it is > >>>>>> packaged as sssd-winbind-idmap. IIRC it doesn't reimplement the > >>>>>> algorithm, just delegate to SSSD the mapping > >>>>>> > >>>>> idmap-sss used to be in the Samba tree, but when it is was going to > >>>>> be removed, red-hat took it into their sssd tree. > >>>>> > >>>>> If you are using sssd with Samba >= 4.8.0 it is unsupported by > >>>>> red-hat and Samba. > >>>>> > >>>>> Rowland > >>>>> > >>>>> > >>>>> > >>>> Continue saying you can't run latest Samba release all you wish, it > >>>> doesn't make it truth. I will continue helping the original post. > >>> I refer you to my other post > >>> > >>> Rowland Penny > >>> > >>> Samba team member > >>> > >> This does make me wonder whether it would be worth adding an optional > >> non-default parameter to idmap_autorid to have it use the sssd slicing > >> algorithm to determine ranges. Sort of like SSSD has an autorid > >> compatibility parameter. > > Happy to review if you write it :-). Anything that > > will remove friction moving to/from winbindd/sssd > > would be good for users ! > > And I will be happy to 'NACK' it, we do not need another idmap backend, > well not unless it it is a total rewrite to give us something like how > RID works on Windows and is the only idmap backend. >I prefer not to have a proliferation of idmap backends. However, if we can somehow make it so that a user can add "idmap config * : sssd_compate true" and have autorid figure out its extension ranges using an sssd-style algorithm, that would probably be best.
On Thursday, 3 September 2020 16:26:37 PDT Andrew Walker via samba wrote:> I prefer not to have a proliferation of idmap backends. However, if we can > somehow make it so that a user can add "idmap config * : sssd_compate > true" and have autorid figure out its extension ranges using an sssd-style > algorithm, that would probably be best. >Mad, furious +1 on this! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20200903/299dbe5d/signature.sig>
On 03/09/2020 22:35, Jeremy Allison wrote:> On Thu, Sep 03, 2020 at 10:20:09PM +0100, Rowland penny via samba wrote: >> On 03/09/2020 22:08, Jeremy Allison wrote: >>> Happy to review if you write it :-). Anything that >>> will remove friction moving to/from winbindd/sssd >>> would be good for users ! >> And I will be happy to 'NACK' it, we do not need another idmap backend, well >> not unless it it is a total rewrite to give us something like how RID works >> on Windows and is the only idmap backend. >> >> There would be no friction if everyone would accept that using sssd with >> Samba is no longer supported by anyone. Red-Hat could make this more obvious >> by removing sssd-winbind-idmap, their documentation says it use isn't >> supported. > I'm just trying to make users lives happier :-). Why do you > hate happy users Rowland ? :-) :-).I do not hate happy users, I just do not see the point to sssd with Samba, I actually think they will be happier without sssd> > Seriously, people do need sometime to move to/from sssd/winbindd, > and anything we can do to make that easier for them shouldn't > be too controversial, so long as it's (a) optional and (b) not > too ugly to live :-).That I can understand, but there are other ways around this without writing yet another idmap backend. Rowland
On 04/09/2020 19:02, Gregory Sloop wrote:> Re: [Samba] SID mapping: Samba and SSSD > > > *Rpvs> On 03/09/2020 22:35, Jeremy Allison wrote: > >> On Thu, Sep 03, 2020 at 10:20:09PM +0100, Rowland penny via samba > wrote: > >>> On 03/09/2020 22:08, Jeremy Allison wrote: > >>>> Happy to review if you write it :-). Anything that > >>>> will remove friction moving to/from winbindd/sssd > >>>> would be good for users ! > >>> And I will be happy to 'NACK' it, we do not need another idmap > backend, well > >>> not unless it it is a total rewrite to give us something like how > RID works > >>> on Windows and is the only idmap backend. > > >>> There would be no friction if everyone would accept that using > sssd with > >>> Samba is no longer supported by anyone. Red-Hat could make this > more obvious > >>> by removing sssd-winbind-idmap, their documentation says it use isn't > >>> supported. > >> I'm just trying to make users lives happier :-). Why do you > >> hate happy users Rowland ? :-) :-). > Rpvs> I do not hate happy users, I just do not see the point to sssd with > Rpvs> Samba, I actually think they will be happier without sssd > > *It really seems to me like we ought to let users decide THEMSELVES, > what will make them happy, eh? > I'll just leave it there. >HI Gregory, no one is saying that users of Samba cannot use sssd, it is just that nobody will give you support if you do. If you are using Samba >= 4.8.0 with sssd on a Unix domain member, then you are on your own if you run into problems, unless you are asking for support to move to winbind. Rowland
Rpvs> On 04/09/2020 19:02, Gregory Sloop wrote:>> Re: [Samba] SID mapping: Samba and SSSD>> *Rpvs> On 03/09/2020 22:35, Jeremy Allison wrote: >> >> On Thu, Sep 03, 2020 at 10:20:09PM +0100, Rowland penny via samba >> wrote: >> >>> On 03/09/2020 22:08, Jeremy Allison wrote: >> >>>> Happy to review if you write it :-). Anything that >> >>>> will remove friction moving to/from winbindd/sssd >> >>>> would be good for users ! >> >>> And I will be happy to 'NACK' it, we do not need another idmap >> backend, well >> >>> not unless it it is a total rewrite to give us something like how >> RID works >> >>> on Windows and is the only idmap backend.>> >>> There would be no friction if everyone would accept that using >> sssd with >> >>> Samba is no longer supported by anyone. Red-Hat could make this >> more obvious >> >>> by removing sssd-winbind-idmap, their documentation says it use isn't >> >>> supported. >> >> I'm just trying to make users lives happier :-). Why do you >> >> hate happy users Rowland ? :-) :-). >> Rpvs> I do not hate happy users, I just do not see the point to sssd with >> Rpvs> Samba, I actually think they will be happier without sssd>> *It really seems to me like we ought to let users decide THEMSELVES, >> what will make them happy, eh? >> I'll just leave it there.Rpvs> HI Gregory, no one is saying that users of Samba cannot use sssd, it is Rpvs> just that nobody will give you support if you do. If you are using Samba >>= 4.8.0 with sssd on a Unix domain member, then you are on your own if Rpvs> you run into problems, unless you are asking for support to move to winbind. Rpvs> Rowland IMHO, that's not actually how you act and respond. When I saw this latest thread come up on SSSD, I was like; "Oh, no! Rowland's going to have puppies!", because you get so terribly exercised about SSSD questions. If you don't want to field any questions about SSSD, then don't. If you don't want to offer support on SSSD, then don't. But, again IMO, you aren't pleasant about any SSSD questions. I'm not sure why it's such a point of contention. I mean, look at this response. From here: https://lists.samba.org/archive/samba/2020-September/231767.html>> This does make me wonder whether it would be worth adding an optional >> non-default parameter to idmap_autorid to have it use the sssd slicing >> algorithm to determine ranges. Sort of like SSSD has an autorid >> compatibility parameter.> Happy to review if you write it :-). Anything that > will remove friction moving to/from winbindd/sssd > would be good for users !And I will be happy to 'NACK' it, we do not need another idmap backend, well not unless it it is a total rewrite to give us something like how RID works on Windows and is the only idmap backend. There would be no friction if everyone would accept that using sssd with Samba is no longer supported by anyone. Red-Hat could make this more obvious by removing sssd-winbind-idmap, their documentation says it use isn't supported. That's your response to your own Samba team member, JA. That's not just simply saying "It's not supported." IMO, that's being borish. And that's certainly not the only time you were abrasive in the thread. [Again, these are all my *opinions,* I have no idea if anyone else agrees or not.] You do a lot of fielding of questions on Samba, and that's great. It's a thankless job, and I'm sure it's a grind. I just think a deep breath occasionally when you're frustrated might be handy. -Greg