Discussion:
Why is the 'sss' backend verboten as a default IDMAP backend?
Richard Sharpe via samba-technical
2017-07-14 21:53:21 UTC
Permalink
Hi folks,

Just testing 4.7rc3 and ran into this problem:

ERROR: Do not use the 'sss' backend as the default idmap backend!

Why is that?
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
Jeremy Allison via samba-technical
2017-07-14 21:57:57 UTC
Permalink
Post by Richard Sharpe via samba-technical
Hi folks,
ERROR: Do not use the 'sss' backend as the default idmap backend!
Why is that?
git blame on testparm gives:

$ git show 3de634d7a04f
commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
Author: Andreas Schneider <***@samba.org>
Date: Wed Dec 7 17:44:25 2016 +0100

s3-testparm: Print error if the default backend is incorrect

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Michael Adam <***@samba.org>

That should help you look up the patch and discussion
on samba-technical archives.
Richard Sharpe via samba-technical
2017-07-14 22:16:07 UTC
Permalink
Post by Jeremy Allison via samba-technical
Post by Richard Sharpe via samba-technical
Hi folks,
ERROR: Do not use the 'sss' backend as the default idmap backend!
Why is that?
$ git show 3de634d7a04f
commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
Date: Wed Dec 7 17:44:25 2016 +0100
s3-testparm: Print error if the default backend is incorrect
That should help you look up the patch and discussion
on samba-technical archives.
OK, so having read the discussion I guess the issues are:

1. Does sssd generate collision-free idmaps when the customer has
multiple domains
2. Do we want to live dangerously.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
Richard Sharpe via samba-technical
2017-07-14 22:43:41 UTC
Permalink
On Fri, Jul 14, 2017 at 3:16 PM, Richard Sharpe
Post by Richard Sharpe via samba-technical
Post by Jeremy Allison via samba-technical
Post by Richard Sharpe via samba-technical
Hi folks,
ERROR: Do not use the 'sss' backend as the default idmap backend!
Why is that?
$ git show 3de634d7a04f
commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
Date: Wed Dec 7 17:44:25 2016 +0100
s3-testparm: Print error if the default backend is incorrect
That should help you look up the patch and discussion
on samba-technical archives.
1. Does sssd generate collision-free idmaps when the customer has
multiple domains
2. Do we want to live dangerously.
I notice this in the change:

+ const char *default_backends[] = {
+ "tdb", "tdb2", "ldap", "autorid", "hash"
+ };

That means that the code accepts the hash backend and I think sss uses
the same sort of scheme, so sss should be safe, it would seem.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
Andreas Schneider via samba-technical
2017-07-17 15:21:06 UTC
Permalink
On Saturday, 15 July 2017 00:43:41 CEST Richard Sharpe via samba-technical
Post by Richard Sharpe via samba-technical
On Fri, Jul 14, 2017 at 3:16 PM, Richard Sharpe
Post by Richard Sharpe via samba-technical
On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-
Post by Richard Sharpe via samba-technical
Hi folks,
ERROR: Do not use the 'sss' backend as the default idmap backend!
Why is that?
$ git show 3de634d7a04f
commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
Date: Wed Dec 7 17:44:25 2016 +0100
s3-testparm: Print error if the default backend is incorrect
That should help you look up the patch and discussion
on samba-technical archives.
1. Does sssd generate collision-free idmaps when the customer has
multiple domains
2. Do we want to live dangerously.
+ const char *default_backends[] = {
+ "tdb", "tdb2", "ldap", "autorid", "hash"
+ };
That means that the code accepts the hash backend and I think sss uses
the same sort of scheme, so sss should be safe, it would seem.
hash is there for compatibility reasons. The hash backend should never be
used. Sadly we can't remove it yet.
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team ***@samba.org
www.samba.org
Andreas Schneider via samba-technical
2017-07-17 15:18:08 UTC
Permalink
On Saturday, 15 July 2017 00:16:07 CEST Richard Sharpe via samba-technical
Post by Richard Sharpe via samba-technical
On Fri, Jul 14, 2017 at 02:53:21PM -0700, Richard Sharpe via samba-
Post by Richard Sharpe via samba-technical
Hi folks,
ERROR: Do not use the 'sss' backend as the default idmap backend!
Why is that?
$ git show 3de634d7a04f
commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
Date: Wed Dec 7 17:44:25 2016 +0100
s3-testparm: Print error if the default backend is incorrect
That should help you look up the patch and discussion
on samba-technical archives.
1. Does sssd generate collision-free idmaps when the customer has
multiple domains
2. Do we want to live dangerously.
The idmap_sss backend is a 'read-only' backend! Winbind requires a backend
which can allocate IDs as the default backend!


Cheers,


Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team ***@samba.org
www.samba.org
Alexander Bokovoy via samba-technical
2017-07-15 07:09:38 UTC
Permalink
Post by Richard Sharpe via samba-technical
Hi folks,
ERROR: Do not use the 'sss' backend as the default idmap backend!
Why is that?
Because default idmap backend needs to be writable while 'sss' is a
read-only backend.
--
/ Alexander Bokovoy
Loading...