Re: [Samba] Samba4 LDAP: how to write to idmap.ldb
On 05/13/2012 07:49 PM, Andrew Bartlett wrote: On Sun, 2012-05-13 at 10:40 -0700, Matthieu Patou wrote: On 05/12/2012 11:30 PM, steve wrote: Hi everyone I can change a mapping in idmap.ldb according to the samba4 wiki: https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro But if I delete an object via ldbmodify or ldbedit, it doesn't delete the entry in idmap.ldb. We have users who we deleted long ago still present there. Over a period of time, this could amount to a lot of wasted space. No the space used in idmap for a user mapping is ridiculously small if you don't have removed ~ 10 000 users it's not worth to worry about Would it be possible that samba-tool user delete and samba-tool group delete also delete the corresponding entry in idmap.ldb? Yeah it could be file an request in bugzilla explaining this, it's an enhancement and I think it has a pretty low priority. In the same time you should ask also for an expunge command so that if you removed the user/group from ADCU we could remove all inactive groups. But that's very very very low priority to me but should be rather easy to do. The reason not to do this at all is that just as the SID is never re-used, the UID should not be re-used. The thing is that we keep track of the latest usn (at least in s4 idmap) so even if we purge removed users we won't cycle on already affected UID/GID. Additionally, if that UID or SID were to be found on a file ACL, it is critically important that we continue to map it in the same way (as the acl_xattr check-hash on the SD for posix/NT consistency is done on the mapped-from-posix NT ACL). Oh I didn't knew that. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 LDAP: how to write to idmap.ldb
On Sun, 2012-05-13 at 10:40 -0700, Matthieu Patou wrote: > On 05/12/2012 11:30 PM, steve wrote: > > Hi everyone > > > > I can change a mapping in idmap.ldb according to the samba4 wiki: > > https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro > > > > > > > > But if I delete an object via ldbmodify or ldbedit, it doesn't delete > > the entry in idmap.ldb. We have users who we deleted long ago still > > present there. Over a period of time, this could amount to a lot of > > wasted space. > > > No the space used in idmap for a user mapping is ridiculously small if > you don't have removed ~ 10 000 users it's not worth to worry about > > Would it be possible that samba-tool user delete and samba-tool > > group delete also delete the corresponding entry in idmap.ldb? > > > Yeah it could be file an request in bugzilla explaining this, it's an > enhancement and I think it has a pretty low priority. > > In the same time you should ask also for an expunge command so that if > you removed the user/group from ADCU we could remove all inactive groups. > > But that's very very very low priority to me but should be rather easy > to do. The reason not to do this at all is that just as the SID is never re-used, the UID should not be re-used. Additionally, if that UID or SID were to be found on a file ACL, it is critically important that we continue to map it in the same way (as the acl_xattr check-hash on the SD for posix/NT consistency is done on the mapped-from-posix NT ACL). I hope this clarifies things, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 LDAP: how to write to idmap.ldb
On 05/13/2012 07:40 PM, Matthieu Patou wrote: On 05/12/2012 11:30 PM, steve wrote: the space used in idmap for a user mapping is ridiculously small That's fine for us. If we wanted, I suppose we could delete the sid DN in idmap using a ldbsearch on xidNumber. But as you say. Who cares? Thank your for your help in clarifying this matter. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 LDAP: how to write to idmap.ldb
On 05/12/2012 11:30 PM, steve wrote: Hi everyone I can change a mapping in idmap.ldb according to the samba4 wiki: https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro But if I delete an object via ldbmodify or ldbedit, it doesn't delete the entry in idmap.ldb. We have users who we deleted long ago still present there. Over a period of time, this could amount to a lot of wasted space. No the space used in idmap for a user mapping is ridiculously small if you don't have removed ~ 10 000 users it's not worth to worry about Would it be possible that samba-tool user delete and samba-tool group delete also delete the corresponding entry in idmap.ldb? Yeah it could be file an request in bugzilla explaining this, it's an enhancement and I think it has a pretty low priority. In the same time you should ask also for an expunge command so that if you removed the user/group from ADCU we could remove all inactive groups. But that's very very very low priority to me but should be rather easy to do. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 LDAP: how to write to idmap.ldb
Hi everyone I can change a mapping in idmap.ldb according to the samba4 wiki: https://wiki.samba.org/index.php/Samba4/HOWTO#Managing_Samba_4_Active_Directory_From_Windows_XP_Pro But if I delete an object via ldbmodify or ldbedit, it doesn't delete the entry in idmap.ldb. We have users who we deleted long ago still present there. Over a period of time, this could amount to a lot of wasted space. Would it be possible that samba-tool user delete and samba-tool group delete also delete the corresponding entry in idmap.ldb? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba