Why is the 'sss' backend verboten as a default IDMAP backend?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Why is the 'sss' backend verboten as a default IDMAP backend?

Samba - samba-technical mailing list
Hi folks,

Just testing 4.7rc3 and ran into this problem:

ERROR: Do not use the 'sss' backend as the default idmap backend!

Why is that?

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why is the 'sss' backend verboten as a default IDMAP backend?

Samba - samba-technical mailing list
On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-technical wrote:
> Hi folks,
>
> Just testing 4.7rc3 and ran into this problem:
>
> ERROR: Do not use the 'sss' backend as the default idmap backend!
>
> Why is that?

git blame on testparm gives:

$ git show 3de634d7a04f
commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
Author: Andreas Schneider <[hidden email]>
Date:   Wed Dec 7 17:44:25 2016 +0100

    s3-testparm: Print error if the default backend is incorrect
   
    Signed-off-by: Andreas Schneider <[hidden email]>
    Reviewed-by: Michael Adam <[hidden email]>

That should help you look up the patch and discussion
on samba-technical archives.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why is the 'sss' backend verboten as a default IDMAP backend?

Samba - samba-technical mailing list
On Fri, Jul 14, 2017 at 2:57 PM, Jeremy Allison <[hidden email]> wrote:

> On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-technical wrote:
>> Hi folks,
>>
>> Just testing 4.7rc3 and ran into this problem:
>>
>> ERROR: Do not use the 'sss' backend as the default idmap backend!
>>
>> Why is that?
>
> git blame on testparm gives:
>
> $ git show 3de634d7a04f
> commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
> Author: Andreas Schneider <[hidden email]>
> Date:   Wed Dec 7 17:44:25 2016 +0100
>
>     s3-testparm: Print error if the default backend is incorrect
>
>     Signed-off-by: Andreas Schneider <[hidden email]>
>     Reviewed-by: Michael Adam <[hidden email]>
>
> That should help you look up the patch and discussion
> on samba-technical archives.

OK, so having read the discussion I guess the issues are:

1. Does sssd generate collision-free idmaps when the customer has
multiple domains
2. Do we want to live dangerously.

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why is the 'sss' backend verboten as a default IDMAP backend?

Samba - samba-technical mailing list
On Fri, Jul 14, 2017 at 3:16 PM, Richard Sharpe
<[hidden email]> wrote:

> On Fri, Jul 14, 2017 at 2:57 PM, Jeremy Allison <[hidden email]> wrote:
>> On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-technical wrote:
>>> Hi folks,
>>>
>>> Just testing 4.7rc3 and ran into this problem:
>>>
>>> ERROR: Do not use the 'sss' backend as the default idmap backend!
>>>
>>> Why is that?
>>
>> git blame on testparm gives:
>>
>> $ git show 3de634d7a04f
>> commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
>> Author: Andreas Schneider <[hidden email]>
>> Date:   Wed Dec 7 17:44:25 2016 +0100
>>
>>     s3-testparm: Print error if the default backend is incorrect
>>
>>     Signed-off-by: Andreas Schneider <[hidden email]>
>>     Reviewed-by: Michael Adam <[hidden email]>
>>
>> That should help you look up the patch and discussion
>> on samba-technical archives.
>
> OK, so having read the discussion I guess the issues are:
>
> 1. Does sssd generate collision-free idmaps when the customer has
> multiple domains
> 2. Do we want to live dangerously.

I notice this in the change:

+ const char *default_backends[] = {
+                       "tdb", "tdb2", "ldap", "autorid", "hash"
+               };

That means that the code accepts the hash backend and I think sss uses
the same sort of scheme, so sss should be safe, it would seem.

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why is the 'sss' backend verboten as a default IDMAP backend?

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On pe, 14 heinä 2017, Richard Sharpe via samba-technical wrote:
> Hi folks,
>
> Just testing 4.7rc3 and ran into this problem:
>
> ERROR: Do not use the 'sss' backend as the default idmap backend!
>
> Why is that?
Because default idmap backend needs to be writable while 'sss' is a
read-only backend.

--
/ Alexander Bokovoy

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why is the 'sss' backend verboten as a default IDMAP backend?

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Saturday, 15 July 2017 00:16:07 CEST Richard Sharpe via samba-technical
wrote:
> On Fri, Jul 14, 2017 at 2:57 PM, Jeremy Allison <[hidden email]> wrote:
> > On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-
technical wrote:

> >> Hi folks,
> >>
> >> Just testing 4.7rc3 and ran into this problem:
> >>
> >> ERROR: Do not use the 'sss' backend as the default idmap backend!
> >>
> >> Why is that?
> >
> > git blame on testparm gives:
> >
> > $ git show 3de634d7a04f
> > commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
> > Author: Andreas Schneider <[hidden email]>
> > Date:   Wed Dec 7 17:44:25 2016 +0100
> >
> >     s3-testparm: Print error if the default backend is incorrect
> >    
> >     Signed-off-by: Andreas Schneider <[hidden email]>
> >     Reviewed-by: Michael Adam <[hidden email]>
> >
> > That should help you look up the patch and discussion
> > on samba-technical archives.
>
> OK, so having read the discussion I guess the issues are:
>
> 1. Does sssd generate collision-free idmaps when the customer has
> multiple domains
> 2. Do we want to live dangerously.

The idmap_sss backend is a 'read-only' backend! Winbind requires a backend
which can allocate IDs as the default backend!


Cheers,


        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Why is the 'sss' backend verboten as a default IDMAP backend?

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Saturday, 15 July 2017 00:43:41 CEST Richard Sharpe via samba-technical
wrote:
> On Fri, Jul 14, 2017 at 3:16 PM, Richard Sharpe
>
> <[hidden email]> wrote:
> > On Fri, Jul 14, 2017 at 2:57 PM, Jeremy Allison <[hidden email]> wrote:
> >> On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-
technical wrote:

> >>> Hi folks,
> >>>
> >>> Just testing 4.7rc3 and ran into this problem:
> >>>
> >>> ERROR: Do not use the 'sss' backend as the default idmap backend!
> >>>
> >>> Why is that?
> >>
> >> git blame on testparm gives:
> >>
> >> $ git show 3de634d7a04f
> >> commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
> >> Author: Andreas Schneider <[hidden email]>
> >> Date:   Wed Dec 7 17:44:25 2016 +0100
> >>
> >>     s3-testparm: Print error if the default backend is incorrect
> >>    
> >>     Signed-off-by: Andreas Schneider <[hidden email]>
> >>     Reviewed-by: Michael Adam <[hidden email]>
> >>
> >> That should help you look up the patch and discussion
> >> on samba-technical archives.
> >
> > OK, so having read the discussion I guess the issues are:
> >
> > 1. Does sssd generate collision-free idmaps when the customer has
> > multiple domains
> > 2. Do we want to live dangerously.
>
> I notice this in the change:
>
> + const char *default_backends[] = {
> +                       "tdb", "tdb2", "ldap", "autorid", "hash"
> +               };
>
> That means that the code accepts the hash backend and I think sss uses
> the same sort of scheme, so sss should be safe, it would seem.

hash is there for compatibility reasons. The hash backend should never be
used. Sadly we can't remove it yet.

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Loading...