Hey Nick, Nick wrote: > Is it possible for the uid/gid numbers that are generated by the > idmap_rid and idmap_hash to collide if there are a large number of > users or groups? I cannot seem to find any documentation on the > limitations of these plugins. Before using I want to make absolutely > sure that there won't be any collisions.
There is a small chance of collision based on the domain sid. In testing the mean average was about40 trusted domains but I've see it much lower on rare occasions. Also, if the highest RID in your domain is > (as Volker points out) 2^19, the plugin will suffer from integer overflow. There's a slide or two outlining the algorithm in this slide deck from LInuxWorld SF '08 http://archives.likewiseopen.org/~gcarter/presentations/likewise_open_first_class_citizen_lwsf08.pdf > In doing some research about Likewise Open, I see it's hashing routine > can have this problem: > > "If your Active Directory relative identifiers, or RIDs, are a number > greater than 524,287, the Likewise Open algorithm that generates UIDs > and GIDs can result in UID-GID collisions among users and groups. In > such cases, it is recommended that you use Likewise Enterprise or that > you use the Likewise UID-GID management tool." > > http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html#AboutLikewiseAgent > > I was somehow thinking that Likewise is based on Samba, although I > don't remember where I heard that so it could be total BS. The Likewise Identity 3.x and 4.x was based on winbindd. That's when I wrote the original idmap_hash and pushed it upstream. The Likewise 5.x code based moved to a new single process threaded authentication service named lsassd, but still supports the hashing mechanism for unprovisioned AD domains. The "enterprise" version and the uid/gid management tool you reference above just allow you to manually administer uid and gid assignments in AD (that will be picked up by lsassd). Does that help clarify? cheers, jerry
signature.asc
Description: OpenPGP digital signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
