Quantcast

[PATCH] Check if the idmap_hash range is big enough

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
Hello,

the attached patch improves the idmap_hash manpage and adds a testparm check
that the configured range is big enough.

        $ bin/testparm smb.conf.ads
        Load smb config files from smb.conf.ads
        Loaded services file OK.

        ERROR: The idmap range for 'hash' configrued for the the domain '*' is too
        small! For a single domain the range needs to span at least 500000 IDs.
        For each other domain you need to add 500000 more IDs.


Review and push much appreciated!


Thanks,


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

idmap_hash.patch (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Ralph Böhme-2
On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> +  The module divides the the range into subranges for treated domains.
                                                              ^^^^^^^

Is this a new AD trust type?

"I treat you the way you treat me!"

:)

Otherwise lgtm.

Cheerio!
-slow

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:

> On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > +  The module divides the the range into subranges for treated domains.
>
>                                                               ^^^^^^^
>
> Is this a new AD trust type?
>
> "I treat you the way you treat me!"
>
> :)

Well, there is BUILTIN and the local domain. How would you describe it?


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Ralph Böhme-2
On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:

> On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > > +  The module divides the the range into subranges for treated domains.
> >
> >                                                               ^^^^^^^
> >
> > Is this a new AD trust type?
> >
> > "I treat you the way you treat me!"
> >
> > :)
>
> Well, there is BUILTIN and the local domain. How would you describe it?

I might be missing something, but I was assuming it's a typo and you meant
"trusted" ?

Cheerio!
-slow

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Alexander Bokovoy
On ke, 15 helmi 2017, Ralph Böhme wrote:

> On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:
> > On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > > > +  The module divides the the range into subranges for treated domains.
> > >
> > >                                                               ^^^^^^^
> > >
> > > Is this a new AD trust type?
> > >
> > > "I treat you the way you treat me!"
> > >
> > > :)
> >
> > Well, there is BUILTIN and the local domain. How would you describe it?
>
> I might be missing something, but I was assuming it's a typo and you meant
> "trusted" ?
I think Andreas mean it to be 'every specified domain', not 'trusted'
ones.

--
/ Alexander Bokovoy

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
In reply to this post by Ralph Böhme-2
On Wednesday, 15 February 2017 14:21:22 CET Ralph Böhme wrote:

> On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:
> > On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > > > +  The module divides the the range into subranges for treated
> > > > domains.
> > > >
> > >                                                               ^^^^^^^
> > >
> > > Is this a new AD trust type?
> > >
> > > "I treat you the way you treat me!"
> > >
> > > :)
> >
> > Well, there is BUILTIN and the local domain. How would you describe it?
>
> I might be missing something, but I was assuming it's a typo and you meant
> "trusted" ?

Michael are 500000 IDs enough for just one domain or do you need also 500000
IDs for BULTIN and the local domain?

Or do you need it for each additional trusted domain only?


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Michael Adam-3
In reply to this post by Ralph Böhme-2
On 2017-02-15 at 14:21 +0100, Ralph Böhme wrote:

> On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:
> > On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > > > +  The module divides the the range into subranges for treated domains.
> > >
> > >                                                               ^^^^^^^
> > >
> > > Is this a new AD trust type?
> > >
> > > "I treat you the way you treat me!"
> > >
> > > :)
> >
> > Well, there is BUILTIN and the local domain. How would you describe it?
>
> I might be missing something, but I was assuming it's a typo and you meant
> "trusted" ?
I think "treated domain" is supposed to mean "domain that is
being treated by this idmap config".


Michael

signature.asc (169 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Michael Adam-3
In reply to this post by Andreas Schneider-15
On 2017-02-15 at 14:43 +0100, Andreas Schneider wrote:

> On Wednesday, 15 February 2017 14:21:22 CET Ralph Böhme wrote:
> > On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:
> > > On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > > > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider wrote:
> > > > > +  The module divides the the range into subranges for treated
> > > > > domains.
> > > > >
> > > >                                                               ^^^^^^^
> > > >
> > > > Is this a new AD trust type?
> > > >
> > > > "I treat you the way you treat me!"
> > > >
> > > > :)
> > >
> > > Well, there is BUILTIN and the local domain. How would you describe it?
> >
> > I might be missing something, but I was assuming it's a typo and you meant
> > "trusted" ?
>
> Michael are 500000 IDs enough for just one domain or do you need also 500000
> IDs for BULTIN and the local domain?
Iirc, currently BUILTIN and local domain are treated by the group
mapping mechanisms that use the allocate_id method and the do not
appear as proper domains in * id-mapping by default.

allocate id is not implemented by idmap_hash currently.

This idmap_hash manpage should carry a big caveat
"DO NOT USE THIS MODULE - IT HAS CONCEPTUAL PROBLEMS" ... :-)

Like: two different domains have a >0% chance of colliding
and consuming the same range. Not funny!

And if the domain has more then the ~ 500,000 objects, then
the IDs wir wrap around, i.e. RID and RID+524288 from the same
domain will have the same Unix ID associated ....

> Or do you need it for each additional trusted domain only?

yeah unless they happen to consume the same range... :-/

Regarding your patch:

- The check for 500000 seems a bit heuristic to me.
- I (still) don't like the fact that the testparm binary
  tests stuff for the modules which are kind of
  separate.

Cheers - Michael


signature.asc (169 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Rowland Penny-4
In reply to this post by Michael Adam-3
On Wed, 15 Feb 2017 23:00:12 +0100
Michael Adam <[hidden email]> wrote:

> On 2017-02-15 at 14:21 +0100, Ralph Böhme wrote:
> > On Wed, Feb 15, 2017 at 01:55:13PM +0100, Andreas Schneider wrote:
> > > On Wednesday, 15 February 2017 12:19:48 CET Ralph Böhme wrote:
> > > > On Wed, Feb 15, 2017 at 10:25:42AM +0100, Andreas Schneider
> > > > wrote:
> > > > > +  The module divides the the range into subranges
> > > > > for treated domains.
> > > >
> > > >                                                               ^^^^^^^
> > > >
> > > > Is this a new AD trust type?
> > > >
> > > > "I treat you the way you treat me!"
> > > >
> > > > :)
> > >
> > > Well, there is BUILTIN and the local domain. How would you
> > > describe it?
> >
> > I might be missing something, but I was assuming it's a typo and
> > you meant "trusted" ?
>
> I think "treated domain" is supposed to mean "domain that is
> being treated by this idmap config".
>
>
> Michael

How about replacing 'treated' with 'separate' ?

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
In reply to this post by Michael Adam-3
On Wednesday, 15 February 2017 23:08:19 CET Michael Adam wrote:
> Regarding your patch:
>
> - The check for 500000 seems a bit heuristic to me.
> - I (still) don't like the fact that the testparm binary
>   tests stuff for the modules which are kind of
>   separate.

We need to tell the user somehow what he does wrong. Why ist testparm not the
tool to do that?


New improved patchset attached.


Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

idmap_hash_v2.patch (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Rowland Penny-4
On Fri, 17 Feb 2017 12:24:05 +0100
Andreas Schneider <[hidden email]> wrote:

> On Wednesday, 15 February 2017 23:08:19 CET Michael Adam wrote:
> > Regarding your patch:
> >
> > - The check for 500000 seems a bit heuristic to me.
> > - I (still) don't like the fact that the testparm binary
> >   tests stuff for the modules which are kind of
> >   separate.
>
> We need to tell the user somehow what he does wrong. Why ist testparm
> not the tool to do that?
>
>
> New improved patchset attached.
>
>
> Andreas
>
>

You appear to have a stutter:

+  The module divides the the range into subranges for each
                                 ^^^

There is also a typo:

+ "configrued for the the domain
                                         ^^^^^^^^^^

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Michael Adam-3
In reply to this post by Andreas Schneider-15
On 2017-02-17 at 12:24 +0100, Andreas Schneider wrote:

> On Wednesday, 15 February 2017 23:08:19 CET Michael Adam wrote:
> > Regarding your patch:
> >
> > - The check for 500000 seems a bit heuristic to me.
> > - I (still) don't like the fact that the testparm binary
> >   tests stuff for the modules which are kind of
> >   separate.
>
> We need to tell the user somehow what he does wrong. Why ist testparm not the
> tool to do that?
Because the one and only code place with knowledge about
an idmap module's config should be ... the idmap module.
Just like with VFS modules.

If we check the config and output warnings or errors in
testparm, then the CODE for the check and the warning should
ideally be in the idmap (or vfs ...) module.

This way the same code could be called at startup and lead
to an abort or a warning, depending on the error. Couldn't
the check be called in lp_load? I don't fully understand
anyways, why testparm does more checks after calling
lp_load ... ;-)

Hence I am saying the testparm.c code is conceptually the
wrong place for such a check.  I think I said something
like that already in the last wave of config check improvements.
If the idmap module changes, testparm needs to be changed as
well.

Of course it is much more easy to put the check into testparm.
But not good. :-)

So, these are my concerns.



Cheers - Michael


> New improved patchset attached.
>
>
> Andreas
>
>
> --
> Andreas Schneider                   GPG-ID: CC014E3D
> Samba Team                             [hidden email]
> www.samba.org

> From 675d755dd85324d156b038f5ac5250470b9d350e Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <[hidden email]>
> Date: Wed, 15 Feb 2017 08:55:24 +0100
> Subject: [PATCH 1/2] docs: Improve the idmap_hash manpage
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
>
> Signed-off-by: Andreas Schneider <[hidden email]>
> ---
>  docs-xml/manpages/idmap_hash.8.xml | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/docs-xml/manpages/idmap_hash.8.xml b/docs-xml/manpages/idmap_hash.8.xml
> index 9f4f1d1933c..8e9fa82960d 100644
> --- a/docs-xml/manpages/idmap_hash.8.xml
> +++ b/docs-xml/manpages/idmap_hash.8.xml
> @@ -24,6 +24,11 @@
>    to support a local name mapping files if enabled via the
>    &quot;winbind normalize names&quot; and &quot;winbind nss info&quot;
>    parameters in smb.conf.
> +  The module divides the the range into subranges for each domain that is being
> +  handled by the idmap config.
> +  Each range has a size of roughly 525000 IDs (20 bit). This means
> +  that the range for multiple domains needs to be large enough! So a good value
> +  is normally '100000-4000000' or even bigger.
You list 4 million here, i.e. space for 8 domains. Note that
unlike the autorid module, the hash module does not take the
next free range for the next domain that comes across, but for
each sid, the range is determined by the 12bit (!!!) hash that
is calculated from the sid. I.e. each sid has its pre-defined
range.  I.e. you need all the 4096 (12bit) ranges if you want
to cover all possible domains that might come across.
Also, there is no addition of the low-id of the range to a rid
or so, so if you want to catch all possible SIDs that come
across your "idmap config *" setup you need a range of

0 - 2147483648 = 524288 * 4096

if my math is not entirely wrong.
(Btw, the 524288 elements are 19 bit... (= 1<<19),
whatever I had written before. ;-)

If you have a smaller range, some sids won't get mapped.

The example below lists 4 billon as upper limit.
That is enough.

>   </para>
>  </refsynopsisdiv>
>  
> @@ -53,7 +58,7 @@
>   <programlisting>
>   [global]
>   idmap config * : backend = hash
> - idmap config * : range = 1000-4000000000
> + idmap config * : range = 100000-4000000000

If you want to catch as much as possible of a domain
that gets hashed to 0, then the lower bound needs to
be as low as possible, hence the 1000. But then,
the first 1000 rids in a domain will be used as well,
and hence why not skip this first range entirely
and start at 500000 ? ;-)

So:

- the idmap hash module, when used for "idmap config *",
  ideally should have the full range of
  0 - 2147483648 which is not quite possible (at the low
  end at least)...

- domains occupy a fixed range. there is nothing that
  can change that.

- the domains are mapped to a 12 bit hash which is very
  likely to show collisions.

- each domain has a fixed range size and if there are
  larger rids, they are not filtered but
  rid and rid % 524288 get mapped to the same ID

==> If we could only delete this module. :-/
    It is so full of serious and dangerous design flaws.
    But unfortunately it is used out there.

Not quite sure where to go from here,
but this is my analysis.

Cheers - Michael



>   winbind nss info = hash
>   winbind normalize names = yes
> --
> 2.11.0
>
>
> From f7659c49c43fe7a25f3e27f02585ac0c8ad878b3 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <[hidden email]>
> Date: Wed, 15 Feb 2017 10:12:51 +0100
> Subject: [PATCH 2/2] s3-testparm: Add an error for small idmap_hash ranges
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
>
> Signed-off-by: Andreas Schneider <[hidden email]>
> ---
>  source3/utils/testparm.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
>
> diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
> index 3e80c39cf9d..9010c4e4d85 100644
> --- a/source3/utils/testparm.c
> +++ b/source3/utils/testparm.c
> @@ -190,6 +190,22 @@ static bool do_idmap_check(void)
>   goto done;
>   }
>   }
> +
> + ok = strequal(c->backend, "hash");
> + if (ok) {
> + if (c->high - c->low < 524288) {
> + fprintf(stderr,
> + "ERROR: The idmap range for '%s' "
> + "configrued for the the domain "
> + "'%s' is too small! Please consult "
> + "the manpage of idmap_hash module."
> + "\n\n",
> + c->backend,
> + c->domain_name);
> + ok = false;
> + goto done;
> + }
> + }
>   }
>  
>   ok = true;
> --
> 2.11.0
>


signature.asc (169 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Marc Muehlfeld-4
In reply to this post by Andreas Schneider-15
Hi Andreas,

Am 15.02.2017 um 10:25 schrieb Andreas Schneider:

> the attached patch improves the idmap_hash manpage and adds a testparm check
> that the configured range is big enough.
>
> $ bin/testparm smb.conf.ads
> Load smb config files from smb.conf.ads
> Loaded services file OK.
>
> ERROR: The idmap range for 'hash' configrued for the the domain '*' is too
> small! For a single domain the range needs to span at least 500000 IDs.
> For each other domain you need to add 500000 more IDs.

Does this only concern "testparm" or does Samba fail to start if the
range is < 500000? In this case, we should mention this in the release
notes.


Regards,
Marc

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
In reply to this post by Michael Adam-3
On Friday, 17 February 2017 18:44:34 CET Michael Adam wrote:
> > - idmap config * : range = 1000-4000000000
> > + idmap config * : range = 100000-4000000000
>
> If you want to catch as much as possible of a domain
> that gets hashed to 0, then the lower bound needs to
> be as low as possible, hence the 1000. But then,
> the first 1000 rids in a domain will be used as well,
> and hence why not skip this first range entirely
> and start at 500000 ? ;-)

Ok, lets start there. I think we should suggest 525000 that is big enough and
easy to deal with for our users.

>
> So:
>
> - the idmap hash module, when used for "idmap config *",
>   ideally should have the full range of
>   0 - 2147483648 which is not quite possible (at the low
>   end at least)...

The best is to start with 500000. 1000 is normally the start for local users.


See attached patchset.


        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

idmap_hash_v3.patch (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
On Monday, 20 February 2017 11:51:15 CET Andreas Schneider wrote:

> On Friday, 17 February 2017 18:44:34 CET Michael Adam wrote:
> > > - idmap config * : range = 1000-4000000000
> > > + idmap config * : range = 100000-4000000000
> >
> > If you want to catch as much as possible of a domain
> > that gets hashed to 0, then the lower bound needs to
> > be as low as possible, hence the 1000. But then,
> > the first 1000 rids in a domain will be used as well,
> > and hence why not skip this first range entirely
> > and start at 500000 ? ;-)
>
> Ok, lets start there. I think we should suggest 525000 that is big enough
> and easy to deal with for our users.
>
> > So:
> >
> > - the idmap hash module, when used for "idmap config *",
> >
> >   ideally should have the full range of
> >   0 - 2147483648 which is not quite possible (at the low
> >   end at least)...
>
> The best is to start with 500000. 1000 is normally the start for local
> users.
>
>
> See attached patchset.
>
>
> Andreas
Ups, somthing wrong while creating patches. Here is the latest version.


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

idmap_hash_v4.patch (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Michael Adam-3
In reply to this post by Andreas Schneider-15
On 2017-02-20 at 11:51 +0100, Andreas Schneider wrote:

> On Friday, 17 February 2017 18:44:34 CET Michael Adam wrote:
> > > - idmap config * : range = 1000-4000000000
> > > + idmap config * : range = 100000-4000000000
> >
> > If you want to catch as much as possible of a domain
> > that gets hashed to 0, then the lower bound needs to
> > be as low as possible, hence the 1000. But then,
> > the first 1000 rids in a domain will be used as well,
> > and hence why not skip this first range entirely
> > and start at 500000 ? ;-)
>
> Ok, lets start there. I think we should suggest 525000 that is big enough and
> easy to deal with for our users.
>
> >
> > So:
> >
> > - the idmap hash module, when used for "idmap config *",
> >   ideally should have the full range of
> >   0 - 2147483648 which is not quite possible (at the low
> >   end at least)...
>
> The best is to start with 500000. 1000 is normally the start for local users.
Now what? 500000 or 525000 ? :-)

> See attached patchset.
>
>
> Andreas
>
>
> --
> Andreas Schneider                   GPG-ID: CC014E3D
> Samba Team                             [hidden email]
> www.samba.org

> From c0f379a680613fdb28a23d0cf2e3ed9ace260fd7 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <[hidden email]>
> Date: Wed, 15 Feb 2017 08:55:24 +0100
> Subject: [PATCH 1/2] docs: Improve the idmap_hash manpage
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
>
> Signed-off-by: Andreas Schneider <[hidden email]>
> ---
>  docs-xml/manpages/idmap_hash.8.xml | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/docs-xml/manpages/idmap_hash.8.xml b/docs-xml/manpages/idmap_hash.8.xml
> index 9f4f1d1933c..a9230498efe 100644
> --- a/docs-xml/manpages/idmap_hash.8.xml
> +++ b/docs-xml/manpages/idmap_hash.8.xml
> @@ -24,6 +24,11 @@
>    to support a local name mapping files if enabled via the
>    &quot;winbind normalize names&quot; and &quot;winbind nss info&quot;
>    parameters in smb.conf.
> +  The module divides the range into subranges for each domain that is being
> +  handled by the idmap config.
> +  Each range has a size of roughly 525000 IDs (20 bit). This means
> +  that the range for multiple domains needs to be large enough! So a good value
> +  is normally '100000-4000000' or even bigger.
That's not the main point.
It's not that you need a couple of those ranges of size ~ 525000
in order to accomodate a few domains.  You need *them all*
because each domain has a fixed absolute range associated to it
by the hashing algorithm, and you don't know a priori which domain
will come by...

So no, the above range is not normally a good value,
since those almost 8 ranges out of the more than 4000
ranges that exist, are likely not among those needed
for the domains that enter the system...

(apart from this, the low id of 100000 seems to contradict your
mention of 525000 above...)

>   </para>
>  </refsynopsisdiv>
>  
> @@ -53,7 +58,7 @@
>   <programlisting>
>   [global]
>   idmap config * : backend = hash
> - idmap config * : range = 1000-4000000000
> + idmap config * : range = 100000-4000000000
>  
>   winbind nss info = hash
>   winbind normalize names = yes
> --
> 2.11.0
>
>
> From 7aaeb3f0f5add14106731290e1ad70d84dc7f6a6 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <[hidden email]>
> Date: Mon, 20 Feb 2017 11:44:22 +0100
> Subject: [PATCH 2/2] idmap_hash: Make sure the idmap range is big enough
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
>
> Signed-off-by: Andreas Schneider <[hidden email]>
> ---
>  source3/winbindd/idmap_hash/idmap_hash.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
> index 743b0ec4ff8..aa3836c0727 100644
> --- a/source3/winbindd/idmap_hash/idmap_hash.c
> +++ b/source3/winbindd/idmap_hash/idmap_hash.c
> @@ -119,6 +119,14 @@ static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom)
>   return NT_STATUS_INVALID_PARAMETER;
>   }
>  
> + if ((dom->high_id - dom->low_id) < 524288) {
> + DBG_ERR("Error: The idmap_hash range configured for domain "
> + "'%s' is too small! Please consult the manpage of "
> + "the idmap_hash module.\n",
> + dom->name);
> + return NT_STATUS_INVALID_PARAMETER;
> + }
Again, this misses the main point, because the hash ranges
are determined absolutely, and not relative to configured
idmap ranges:

Yeah, it's right that a range this small can't even accomodate
a single domain, but even if we are just big enough for one
range, this is likely not an entire range (but starting in the
middle of one range and ending in the middle of the next one),
and even if one full range is included the likelyhood that
it will be this one range that is used by the domain of users
logging on to the samba server is extremely low...

I am really sorry to be coming across so negatively.
I would like to have a better answer, but currently
I only know what is NOT sufficient or completely good... :-/

Michael


signature.asc (169 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
On Tuesday, 21 February 2017 02:10:17 CET Michael Adam wrote:

> On 2017-02-20 at 11:51 +0100, Andreas Schneider wrote:
> > On Friday, 17 February 2017 18:44:34 CET Michael Adam wrote:
> > > > - idmap config * : range = 1000-4000000000
> > > > + idmap config * : range = 100000-4000000000
> > >
> > > If you want to catch as much as possible of a domain
> > > that gets hashed to 0, then the lower bound needs to
> > > be as low as possible, hence the 1000. But then,
> > > the first 1000 rids in a domain will be used as well,
> > > and hence why not skip this first range entirely
> > > and start at 500000 ? ;-)
> >
> > Ok, lets start there. I think we should suggest 525000 that is big enough
> > and easy to deal with for our users.
> >
> > > So:
> > >
> > > - the idmap hash module, when used for "idmap config *",
> > >
> > >   ideally should have the full range of
> > >   0 - 2147483648 which is not quite possible (at the low
> > >   end at least)...
> >
> > The best is to start with 500000. 1000 is normally the start for local
> > users.
> Now what? 500000 or 525000 ? :-)
>
> > See attached patchset.
> >
> > Andreas
> >
> > From c0f379a680613fdb28a23d0cf2e3ed9ace260fd7 Mon Sep 17 00:00:00 2001
> > From: Andreas Schneider <[hidden email]>
> > Date: Wed, 15 Feb 2017 08:55:24 +0100
> > Subject: [PATCH 1/2] docs: Improve the idmap_hash manpage
> >
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
> >
> > Signed-off-by: Andreas Schneider <[hidden email]>
> > ---
> >
> >  docs-xml/manpages/idmap_hash.8.xml | 7 ++++++-
> >  1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/docs-xml/manpages/idmap_hash.8.xml
> > b/docs-xml/manpages/idmap_hash.8.xml index 9f4f1d1933c..a9230498efe
> > 100644
> > --- a/docs-xml/manpages/idmap_hash.8.xml
> > +++ b/docs-xml/manpages/idmap_hash.8.xml
> > @@ -24,6 +24,11 @@
> >
> >    to support a local name mapping files if enabled via the
> >    &quot;winbind normalize names&quot; and &quot;winbind nss info&quot;
> >    parameters in smb.conf.
> >
> > +  The module divides the range into subranges for each domain that is
> > being +  handled by the idmap config.
> > +  Each range has a size of roughly 525000 IDs (20 bit). This means
> > +  that the range for multiple domains needs to be large enough! So a
> > good value +  is normally '100000-4000000' or even bigger.
>
> That's not the main point.
> It's not that you need a couple of those ranges of size ~ 525000
> in order to accomodate a few domains.  You need *them all*
> because each domain has a fixed absolute range associated to it
> by the hashing algorithm, and you don't know a priori which domain
> will come by...
>
> So no, the above range is not normally a good value,
> since those almost 8 ranges out of the more than 4000
> ranges that exist, are likely not among those needed
> for the domains that enter the system...
>
> (apart from this, the low id of 100000 seems to contradict your
> mention of 525000 above...)

You should look at patch version v4.

You said a domain needs 524288 ids for allocation. So 525000 is easier for a
user, that's why I choose that. If the text is wrong, could you please suggest
a text instead of letting me do the guesswork here?

> >   </para>
> >  
> >  </refsynopsisdiv>
> >
> > @@ -53,7 +58,7 @@
> >
> >   <programlisting>
> >   [global]
> >   idmap config * : backend = hash
> >
> > - idmap config * : range = 1000-4000000000
> > + idmap config * : range = 100000-4000000000
> >
> >   winbind nss info = hash
> >   winbind normalize names = yes
>
> Again, this misses the main point, because the hash ranges
> are determined absolutely, and not relative to configured
> idmap ranges:
>
> Yeah, it's right that a range this small can't even accomodate
> a single domain, but even if we are just big enough for one
> range, this is likely not an entire range (but starting in the
> middle of one range and ending in the middle of the next one),
> and even if one full range is included the likelyhood that
> it will be this one range that is used by the domain of users
> logging on to the samba server is extremely low...
>
> I am really sorry to be coming across so negatively.
> I would like to have a better answer, but currently
> I only know what is NOT sufficient or completely good... :-/


I don't see or understand where we are going here. I don't understand what you
want.

If you do not want to change/fix the manpage or add a check in idmap_hash
module itself then please tell me and I can stop wasting time on a patchset
which is not accepted upstream.

If you want to fix the documentation please suggest a text for the manpage.


        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Michael Adam-3
On 2017-02-21 at 09:32 +0100, Andreas Schneider wrote:

> On Tuesday, 21 February 2017 02:10:17 CET Michael Adam wrote:
> > On 2017-02-20 at 11:51 +0100, Andreas Schneider wrote:
> > > On Friday, 17 February 2017 18:44:34 CET Michael Adam wrote:
> > > > > - idmap config * : range = 1000-4000000000
> > > > > + idmap config * : range = 100000-4000000000
> > > >
> > > > If you want to catch as much as possible of a domain
> > > > that gets hashed to 0, then the lower bound needs to
> > > > be as low as possible, hence the 1000. But then,
> > > > the first 1000 rids in a domain will be used as well,
> > > > and hence why not skip this first range entirely
> > > > and start at 500000 ? ;-)
> > >
> > > Ok, lets start there. I think we should suggest 525000 that is big enough
> > > and easy to deal with for our users.
> > >
> > > > So:
> > > >
> > > > - the idmap hash module, when used for "idmap config *",
> > > >
> > > >   ideally should have the full range of
> > > >   0 - 2147483648 which is not quite possible (at the low
> > > >   end at least)...
> > >
> > > The best is to start with 500000. 1000 is normally the start for local
> > > users.
> > Now what? 500000 or 525000 ? :-)
> >
> > > See attached patchset.
> > >
> > > Andreas
> > >
> > > From c0f379a680613fdb28a23d0cf2e3ed9ace260fd7 Mon Sep 17 00:00:00 2001
> > > From: Andreas Schneider <[hidden email]>
> > > Date: Wed, 15 Feb 2017 08:55:24 +0100
> > > Subject: [PATCH 1/2] docs: Improve the idmap_hash manpage
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
> > >
> > > Signed-off-by: Andreas Schneider <[hidden email]>
> > > ---
> > >
> > >  docs-xml/manpages/idmap_hash.8.xml | 7 ++++++-
> > >  1 file changed, 6 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/docs-xml/manpages/idmap_hash.8.xml
> > > b/docs-xml/manpages/idmap_hash.8.xml index 9f4f1d1933c..a9230498efe
> > > 100644
> > > --- a/docs-xml/manpages/idmap_hash.8.xml
> > > +++ b/docs-xml/manpages/idmap_hash.8.xml
> > > @@ -24,6 +24,11 @@
> > >
> > >    to support a local name mapping files if enabled via the
> > >    &quot;winbind normalize names&quot; and &quot;winbind nss info&quot;
> > >    parameters in smb.conf.
> > >
> > > +  The module divides the range into subranges for each domain that is
> > > being +  handled by the idmap config.
> > > +  Each range has a size of roughly 525000 IDs (20 bit). This means
> > > +  that the range for multiple domains needs to be large enough! So a
> > > good value +  is normally '100000-4000000' or even bigger.
> >
> > That's not the main point.
> > It's not that you need a couple of those ranges of size ~ 525000
> > in order to accomodate a few domains.  You need *them all*
> > because each domain has a fixed absolute range associated to it
> > by the hashing algorithm, and you don't know a priori which domain
> > will come by...
> >
> > So no, the above range is not normally a good value,
> > since those almost 8 ranges out of the more than 4000
> > ranges that exist, are likely not among those needed
> > for the domains that enter the system...
> >
> > (apart from this, the low id of 100000 seems to contradict your
> > mention of 525000 above...)
>
> You should look at patch version v4.
Ah, I had only seen v3. :-)
v4 is of course more consistent.

> You said a domain needs 524288 ids for allocation. So 525000 is easier for a
> user, that's why I choose that. If the text is wrong, could you please suggest
> a text instead of letting me do the guesswork here?

Well, I am not actually letting you do guesswork.
I'm only saying what I see as problematic. And if
that is not clear you can also look at the code
instead of guessing, right? ... ;-)

I would also propose a text if I had a good one.
The unresolvable dilemma here is that this module
is utterly messed up, and NO configuration that
we can come up with will be perfect, for reasons
I detailed in an earlier mail.

I guess any good and honest text will have to
explain the formulas used by the module, so that
the reader can understand what the module does.
It will also contain the sentence "DO NOT USE THIS MODULE!"...

(See below...)

> > >   </para>
> > >  
> > >  </refsynopsisdiv>
> > >
> > > @@ -53,7 +58,7 @@
> > >
> > >   <programlisting>
> > >   [global]
> > >   idmap config * : backend = hash
> > >
> > > - idmap config * : range = 1000-4000000000
> > > + idmap config * : range = 100000-4000000000
> > >
> > >   winbind nss info = hash
> > >   winbind normalize names = yes
> >
> > Again, this misses the main point, because the hash ranges
> > are determined absolutely, and not relative to configured
> > idmap ranges:
> >
> > Yeah, it's right that a range this small can't even accomodate
> > a single domain, but even if we are just big enough for one
> > range, this is likely not an entire range (but starting in the
> > middle of one range and ending in the middle of the next one),
> > and even if one full range is included the likelyhood that
> > it will be this one range that is used by the domain of users
> > logging on to the samba server is extremely low...
> >
> > I am really sorry to be coming across so negatively.
> > I would like to have a better answer, but currently
> > I only know what is NOT sufficient or completely good... :-/
>
>
> I don't see or understand where we are going here. I don't understand what you
> want.
Well. You want to change the manpage and testparm.
I am reviewing your changes since I want the changes
going in to be correct, and I want them to be an
improvement over what we currently have...

What I personally want or would like to do myself is
to remove the idmap_hash module altogether. But
unfortunately that does not seem to be feasible,
since it is used out there.

> If you do not want to change/fix the manpage or add a check in idmap_hash
> module itself then please tell me and I can stop wasting time on a patchset
> which is not accepted upstream.
>
> If you want to fix the documentation please suggest a text for the manpage.

Let me try to explain what the module does. This is not yet a
polished text, but may serve as a basis:

=========================================================================
The idmap_hash module calculates a Unix ID for a given SID as
follows:

- Write the SID as DOMAINSID-RID.
- The module calculates a 12-bit hash value of the DOMAINSID,
  i.e. a value hash(DOMAINSID) between 0 and 4095.
- The unix-ID for SID is then calculated as

    unix-id(SID) = hash(DOMAINSID) * 0x080000 + (RID % 0x080000)

  (Note 0x080000 == 524288 and 4095 == 0x0FFF.)


Hence:

- Each domain has its predefined fixed range of

    hash(DOMAINSID)*0x080000 -- (hash(domainsid)*0x080000 + 524287)

- The overall required range to be able to map all SIDs is

    0 -- 4096 * 524288 - 1 = 2147483647

This leads to a few issues:

- Any range smaller than 0 - 2147483647 will filter some SIDs.
- Since we can not start the range at 0, some SIDs can *never*
  be mapped.
- Some domain SIDs will be mapped to the same range.
- RIDs will wrap around, i.e. DOMSID-RID and
  DOMSID-(RID+524288) will be mapped to the same ID.

Hence the recommendation is:

   DO NOT USE THIS MODULE!

If you have to use it, then make the range as big as possible.
I would say start as low as you can afford, i.e. 1000 or 10000.
That way, you'll at least catch some IDs of those domains
that are unfortunate enough to fall into hash value 0...
(Note to Andreas: If you want to start at 520000 instead,
completely filtering hash value 0 domains, that is a point of
view as well, which comes closer to not using the module at all...)

All in all, I can only repeat:

   DO NOT USE THIS MODULE!

=====================================================================

Does that make it more clear?

Cheers - Michael

signature.asc (169 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
On Tuesday, 21 February 2017 10:16:21 CET Michael Adam wrote:
> Well. You want to change the manpage and testparm.
> I am reviewing your changes since I want the changes
> going in to be correct, and I want them to be an
> improvement over what we currently have...
>
> What I personally want or would like to do myself is
> to remove the idmap_hash module altogether. But
> unfortunately that does not seem to be feasible,
> since it is used out there.

I've added a deprecation message to the init function. See attached patch.

>
> > If you do not want to change/fix the manpage or add a check in idmap_hash
> > module itself then please tell me and I can stop wasting time on a
> > patchset
> > which is not accepted upstream.
> >
> > If you want to fix the documentation please suggest a text for the
> > manpage.
>
> Let me try to explain what the module does. This is not yet a
> polished text, but may serve as a basis:
>
> =========================================================================
> The idmap_hash module calculates a Unix ID for a given SID as
> follows:
>
> - Write the SID as DOMAINSID-RID.
> - The module calculates a 12-bit hash value of the DOMAINSID,
>   i.e. a value hash(DOMAINSID) between 0 and 4095.
> - The unix-ID for SID is then calculated as
>
>     unix-id(SID) = hash(DOMAINSID) * 0x080000 + (RID % 0x080000)
>
>   (Note 0x080000 == 524288 and 4095 == 0x0FFF.)
>
>
> Hence:
>
> - Each domain has its predefined fixed range of
>
>     hash(DOMAINSID)*0x080000 -- (hash(domainsid)*0x080000 + 524287)
>
> - The overall required range to be able to map all SIDs is
>
>     0 -- 4096 * 524288 - 1 = 2147483647
>
> This leads to a few issues:
>
> - Any range smaller than 0 - 2147483647 will filter some SIDs.
> - Since we can not start the range at 0, some SIDs can *never*
>   be mapped.
> - Some domain SIDs will be mapped to the same range.
> - RIDs will wrap around, i.e. DOMSID-RID and
>   DOMSID-(RID+524288) will be mapped to the same ID.
>
> Hence the recommendation is:
>
>    DO NOT USE THIS MODULE!
>
> If you have to use it, then make the range as big as possible.
> I would say start as low as you can afford, i.e. 1000 or 10000.
> That way, you'll at least catch some IDs of those domains
> that are unfortunate enough to fall into hash value 0...
> (Note to Andreas: If you want to start at 520000 instead,
> completely filtering hash value 0 domains, that is a point of
> view as well, which comes closer to not using the module at all...)
>
> All in all, I can only repeat:
>
>    DO NOT USE THIS MODULE!
Here is a v5 of the patchset. I'm not sure we should outline so much things in
the manpage for the user.


Please modify the manpage yourself if you want to give all the details or lets
have a phone call and do it together.


I think we should at least fail to start if the user uses a range which is too
small to map at least one domain. So he reads the manpage.



        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

idmap_hash_v5.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Check if the idmap_hash range is big enough

Andreas Schneider-15
In reply to this post by Michael Adam-3
On Tuesday, 21 February 2017 10:16:21 CET Michael Adam wrote:

> On 2017-02-21 at 09:32 +0100, Andreas Schneider wrote:
> > On Tuesday, 21 February 2017 02:10:17 CET Michael Adam wrote:
> > > On 2017-02-20 at 11:51 +0100, Andreas Schneider wrote:
> > > > On Friday, 17 February 2017 18:44:34 CET Michael Adam wrote:
> > > > > > - idmap config * : range = 1000-4000000000
> > > > > > + idmap config * : range = 100000-4000000000
> > > > >
> > > > > If you want to catch as much as possible of a domain
> > > > > that gets hashed to 0, then the lower bound needs to
> > > > > be as low as possible, hence the 1000. But then,
> > > > > the first 1000 rids in a domain will be used as well,
> > > > > and hence why not skip this first range entirely
> > > > > and start at 500000 ? ;-)
> > > >
> > > > Ok, lets start there. I think we should suggest 525000 that is big
> > > > enough
> > > > and easy to deal with for our users.
> > > >
> > > > > So:
> > > > >
> > > > > - the idmap hash module, when used for "idmap config *",
> > > > >
> > > > >   ideally should have the full range of
> > > > >   0 - 2147483648 which is not quite possible (at the low
> > > > >   end at least)...
> > > >
> > > > The best is to start with 500000. 1000 is normally the start for local
> > > > users.
> > >
> > > Now what? 500000 or 525000 ? :-)
> > >
> > > > See attached patchset.
> > > >
> > > > Andreas
> > > >
> > > > From c0f379a680613fdb28a23d0cf2e3ed9ace260fd7 Mon Sep 17 00:00:00 2001
> > > > From: Andreas Schneider <[hidden email]>
> > > > Date: Wed, 15 Feb 2017 08:55:24 +0100
> > > > Subject: [PATCH 1/2] docs: Improve the idmap_hash manpage
> > > >
> > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
> > > >
> > > > Signed-off-by: Andreas Schneider <[hidden email]>
> > > > ---
> > > >
> > > >  docs-xml/manpages/idmap_hash.8.xml | 7 ++++++-
> > > >  1 file changed, 6 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/docs-xml/manpages/idmap_hash.8.xml
> > > > b/docs-xml/manpages/idmap_hash.8.xml index 9f4f1d1933c..a9230498efe
> > > > 100644
> > > > --- a/docs-xml/manpages/idmap_hash.8.xml
> > > > +++ b/docs-xml/manpages/idmap_hash.8.xml
> > > > @@ -24,6 +24,11 @@
> > > >
> > > >    to support a local name mapping files if enabled via the
> > > >    &quot;winbind normalize names&quot; and &quot;winbind nss
> > > >    info&quot;
> > > >    parameters in smb.conf.
> > > >
> > > > +  The module divides the range into subranges for each domain that
> > > > is
> > > > being +  handled by the idmap config.
> > > > +  Each range has a size of roughly 525000 IDs (20 bit). This means
> > > > +  that the range for multiple domains needs to be large enough! So
a

> > > > good value +  is normally '100000-4000000' or even bigger.
> > >
> > > That's not the main point.
> > > It's not that you need a couple of those ranges of size ~ 525000
> > > in order to accomodate a few domains.  You need *them all*
> > > because each domain has a fixed absolute range associated to it
> > > by the hashing algorithm, and you don't know a priori which domain
> > > will come by...
> > >
> > > So no, the above range is not normally a good value,
> > > since those almost 8 ranges out of the more than 4000
> > > ranges that exist, are likely not among those needed
> > > for the domains that enter the system...
> > >
> > > (apart from this, the low id of 100000 seems to contradict your
> > > mention of 525000 above...)
> >
> > You should look at patch version v4.
>
> Ah, I had only seen v3. :-)
> v4 is of course more consistent.
>
> > You said a domain needs 524288 ids for allocation. So 525000 is easier for
> > a user, that's why I choose that. If the text is wrong, could you please
> > suggest a text instead of letting me do the guesswork here?
>
> Well, I am not actually letting you do guesswork.
> I'm only saying what I see as problematic. And if
> that is not clear you can also look at the code
> instead of guessing, right? ... ;-)
>
> I would also propose a text if I had a good one.
> The unresolvable dilemma here is that this module
> is utterly messed up, and NO configuration that
> we can come up with will be perfect, for reasons
> I detailed in an earlier mail.
>
> I guess any good and honest text will have to
> explain the formulas used by the module, so that
> the reader can understand what the module does.
> It will also contain the sentence "DO NOT USE THIS MODULE!"...
>
> (See below...)
>
> > > >   </para>
> > > >  
> > > >  </refsynopsisdiv>
> > > >
> > > > @@ -53,7 +58,7 @@
> > > >
> > > >   <programlisting>
> > > >   [global]
> > > >   idmap config * : backend = hash
> > > >
> > > > - idmap config * : range = 1000-4000000000
> > > > + idmap config * : range = 100000-4000000000
> > > >
> > > >   winbind nss info = hash
> > > >   winbind normalize names = yes
> > >
> > > Again, this misses the main point, because the hash ranges
> > > are determined absolutely, and not relative to configured
> > > idmap ranges:
> > >
> > > Yeah, it's right that a range this small can't even accomodate
> > > a single domain, but even if we are just big enough for one
> > > range, this is likely not an entire range (but starting in the
> > > middle of one range and ending in the middle of the next one),
> > > and even if one full range is included the likelyhood that
> > > it will be this one range that is used by the domain of users
> > > logging on to the samba server is extremely low...
> > >
> > > I am really sorry to be coming across so negatively.
> > > I would like to have a better answer, but currently
> > > I only know what is NOT sufficient or completely good... :-/
> >
> > I don't see or understand where we are going here. I don't understand what
> > you want.
>
> Well. You want to change the manpage and testparm.
> I am reviewing your changes since I want the changes
> going in to be correct, and I want them to be an
> improvement over what we currently have...
>
> What I personally want or would like to do myself is
> to remove the idmap_hash module altogether. But
> unfortunately that does not seem to be feasible,
> since it is used out there.
>
> > If you do not want to change/fix the manpage or add a check in idmap_hash
> > module itself then please tell me and I can stop wasting time on a
> > patchset
> > which is not accepted upstream.
> >
> > If you want to fix the documentation please suggest a text for the
> > manpage.
>
> Let me try to explain what the module does. This is not yet a
> polished text, but may serve as a basis:
>
> =========================================================================
> The idmap_hash module calculates a Unix ID for a given SID as
> follows:
>
> - Write the SID as DOMAINSID-RID.
> - The module calculates a 12-bit hash value of the DOMAINSID,
>   i.e. a value hash(DOMAINSID) between 0 and 4095.
> - The unix-ID for SID is then calculated as
>
>     unix-id(SID) = hash(DOMAINSID) * 0x080000 + (RID % 0x080000)
>
>   (Note 0x080000 == 524288 and 4095 == 0x0FFF.)
>
>
> Hence:
>
> - Each domain has its predefined fixed range of
>
>     hash(DOMAINSID)*0x080000 -- (hash(domainsid)*0x080000 + 524287)
>
> - The overall required range to be able to map all SIDs is
>
>     0 -- 4096 * 524288 - 1 = 2147483647
>
> This leads to a few issues:
>
> - Any range smaller than 0 - 2147483647 will filter some SIDs.
> - Since we can not start the range at 0, some SIDs can *never*
>   be mapped.
> - Some domain SIDs will be mapped to the same range.
> - RIDs will wrap around, i.e. DOMSID-RID and
>   DOMSID-(RID+524288) will be mapped to the same ID.
>
> Hence the recommendation is:
>
>    DO NOT USE THIS MODULE!
>
> If you have to use it, then make the range as big as possible.
> I would say start as low as you can afford, i.e. 1000 or 10000.
> That way, you'll at least catch some IDs of those domains
> that are unfortunate enough to fall into hash value 0...
> (Note to Andreas: If you want to start at 520000 instead,
> completely filtering hash value 0 domains, that is a point of
> view as well, which comes closer to not using the module at all...)
>
> All in all, I can only repeat:
>
>    DO NOT USE THIS MODULE!
>
> =====================================================================
>
> Does that make it more clear?
>
> Cheers - Michael

Some modifications, here is the latest patchset.


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

idmap_hash_v6.patch (4K) Download Attachment
12
Loading...