[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-devel
Subject:    [SSSD] [PATCH] Allow using AD objectSid as uid source
From:       myllynen () redhat ! com (Marko Myllynen)
Date:       2011-11-25 12:56:50
Message-ID: 4ECF9092.9010504 () redhat ! com
[Download RAW message or body]

Hi,

>>> This sounds backwards to me. I think we should regard Samba/Winbind as
>>> the gold standard in this area and if anything related gets added to
>>> SSSD it should follow Winbind conventions.
>> This sounds exactly right. SSSD supports multiple domains and needs to
>> deal with UID ranges much more rigorously than samba.
> 
> yes, that's why the patch proposal uses the same logic as pure
> Winbind/idmap_rid where mappings are controlled by smb.conf on per
> domain basis - in this case mappings are controlled by sssd.conf on per
> domain basis. Meaning that Winbind and SSSD would produce the same uid
> mappings for the users of a domain if so configured. It would also seem
> that the upcoming SSSD/Winbind backend uses the same approach so if
> someone sees issues with this patch proposal those concerns would be
> then valid with the SSSD/Winbind backend, too.

I investigated the latest SSSD/Winbind patch a bit more and it might
actually have some issues which my patch proposal doesn't have but
please correct me if I'm misreading the patch.

It seems that if one doesn't explicitly set non-default idmap backend
then the tdb backend will get used meaning that users in a domain will
get different uids on different systems using the SSSD/Winbind backend.
And the current configuration file being generated by SSSD for the
winbind daemon does not include any domain specific configuration for
the id mappings. So if an organization has two AD domains like PROD and
TEST (a rather common case when preparing for a DC update, e.g., PROD is
AD 2003 and TEST is for AD 2008 testing), how can one configure the
backend to be used with both of these domains if IdM for UNIX is not in use?

As a concrete example, with the objectSid based approach one could
allocate user ids as needed for local users and users in LDAP domains as
always (let's say those are uids 0-10M). Then for the PROD and TEST
domains users could be mapped for example to 10M-20M and 20M-30M uid
ranges, respectively. And these mappings would match the Samba/Winbind
mappings if it had the same uid ranges configured for the domains with
the rid idmap backend.

Since both approaches might need some refinements perhaps we could have
an IRC discussion to see how we could improve both solutions?

Thanks,

-- 
Marko Myllynen

[prev in list] [next in list] [prev in thread] [next in thread]