[SSSD-users]Re: ldap_idmap_range for a trusted domain

Thu, 01 May 2025 14:23:12 -0700 

On Mon, Apr 28, 2025 at 9:20 AM Ralf Boehm via sssd-users
<[email protected]> wrote:

> We want to switch from winbind to sssd. We have been using winbind
> for many years and have a configuration that does not seem to be
> compatible with sssd, at least I have not been able to find one.
>
> We use several Windows Active Directory servers. When we started
> using winbind, there were relatively few Linux hosts. Most of our
> clients and servers had a Windows operating system.
>
> We decided to go with rid backends at that time. It works very
> well. Here are the settings from /etc/samba/smb.conf:
>
> # UID & GID Mapping with RID
> idmap config DOMAIN1:backend = rid
> idmap config DOMAIN1:range = 100000-349999
> idmap config DOMAIN:base_rid = 0
> idmap config DOMAIN2:backend = rid
> idmap config DOMAIN2:range = 350000-599999
> idmap config DOMAIN2:base_rid = 0
> idmap config *:backend = tdb
> idmap config *:range = 600000-849999

If were in your position, I would try testing something like this:

    [domain/example1.com]
    ldap_id_mapping = True
    ldap_idmap_range_min = 100000
    ldap_idmap_range_max = 349999
    ldap_idmap_range_size = 250000

    [domain/example2.com]
    ldap_id_mapping = True
    ldap_idmap_range_min = 350000
    ldap_idmap_range_max = 599999
    ldap_idmap_range_size = 250000

In essence, for each domain, this provides an ID map range that
consists of a single slice of 250000 ids, exactly matching the slice
size and range that the SMB idmap backend uses.  Since there is only
one slice (slice 0), no matter what the domain SID is, it will always
hash to slice 0 (because there are no other slices).

There might be some reason why this approach won't work that isn't
occurring to me, but before I gave up and abandoned ID mapping (in
favor of having my Windows admins just add uidNumber and/or gidNumber
attributes to everything), I would at least give it a try.
-- 
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to