On Sun, 2012-05-13 at 10:40 -0700, Matthieu Patou wrote: > On 05/12/2012 11:30 PM, steve wrote: > > Hi everyone > > > > I can change a mapping in idmap.ldb according to the samba4 wiki: > > https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro > > > > > > > > But if I delete an object via ldbmodify or ldbedit, it doesn't delete > > the entry in idmap.ldb. We have users who we deleted long ago still > > present there. Over a period of time, this could amount to a lot of > > wasted space. > > > No the space used in idmap for a user mapping is ridiculously small if > you don't have removed ~ 10 000 users it's not worth to worry about > > Would it be possible that samba-tool user delete <x> and samba-tool > > group delete <y> also delete the corresponding entry in idmap.ldb? > > > Yeah it could be file an request in bugzilla explaining this, it's an > enhancement and I think it has a pretty low priority. > > In the same time you should ask also for an expunge command so that if > you removed the user/group from ADCU we could remove all inactive groups. > > But that's very very very low priority to me but should be rather easy > to do.
The reason not to do this at all is that just as the SID is never re-used, the UID should not be re-used. Additionally, if that UID or SID were to be found on a file ACL, it is critically important that we continue to map it in the same way (as the acl_xattr check-hash on the SD for posix/NT consistency is done on the mapped-from-posix NT ACL). I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba