thr3ads.net - samba - [Samba] Moving to AD for idmap backend [Nov 2022]

If this information is useful, please help other people find it:
Share via:

Vaughan, Robert J

2022-Nov-28 19:14 UTC

[Samba] Moving to AD for idmap backend

> The problem is that you shouldn't overlap domain ranges, which you are 
> going to have to and this will lead to a collision somewhere down the 
> line when a user or group is created at the same time as another and 
> they both get the same ID number (yes it will happen, it is not case of 
> if, it is when).
Rowland, can you please expand on that? You must be talking about a Windows user
or group (at the same time?)

Is this because winbind must create a mapping for every user it sees in AD? 
Even those users who are not Samba users and do not have uid specified?

Robert Vaughan


----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended
recipient only and may contain confidential and privileged information.  No one
else may read, print, store, copy, forward or act in reliance on it or its
attachments.  If you are not the intended recipient, please return this message
to the sender and delete the message and any attachments from your computer.
Your cooperation is appreciated.

Rowland Penny

2022-Nov-28 19:35 UTC

head link

[Samba] Moving to AD for idmap backend

On 28/11/2022 19:14, Vaughan, Robert J via samba wrote:>> The problem is that you shouldn't overlap domain ranges, which you
are
>> going to have to and this will lead to a collision somewhere down the
>> line when a user or group is created at the same time as another and
>> they both get the same ID number (yes it will happen, it is not case of
>> if, it is when).
> 
> Rowland, can you please expand on that? You must be talking about a Windows
user or group (at the same time?)
> 
> Is this because winbind must create a mapping for every user it sees in AD?
Even those users who are not Samba users and do not have uid specified?
> 
In AD, you can create users etc on any DC, so it is possible for 
sysadminA to create a user on one DC and for sysadminB to create the 
same user on another DC. This would lead to a collision, one would be 
okay and the other would be marked as a collision. You would only get 
one valid user.

When it comes to the rfc2307 attributes, the same scenario could occur, 
but with different usernames and the same uidNumber. There is nothing to 
check for this, so you could get different users with the same Unix ID.

If you use the 'rid' or 'autorid' idmap backends, this will
never
happen, because with multiple domains the NetBIOS domain name is part of 
the user or group name.

If you use the 'ad' backend, you could (and probably will) get 
collisions at some point.

Rowland

samba - Nov 2022 - Moving to AD for idmap backend

[Samba] Moving to AD for idmap backend

[Samba] Moving to AD for idmap backend