idmap autorid does nothing?

[Elegant]

Hi guys,
I've been using autorid on my other Linux installs for quite some time with SSSD. When I attempt to use autorid with FreeNAS though, it completely ignores the idmap and defers to the idmap used for the SMB shares. An example of that would be as follows:

idmap config mydomain: ignore builtin = yes
idmap config mydomain: read only = no
idmap config mydomain: rangesize = 20000
idmap config mydomain: range = 20000-80000000
idmap config mydomain: backend = autorid
idmap config *: range = 80000001-90000000
idmap config * : backend = tdb

Now this should mean that user elegant gets assigned an uid within the range for mydomain but it doesn't. Instead it gets assigned a uid within the range of *:

id elegant
uid=80000001(elegant) gid=80000005(domain users)

I've tried a variety of things but nothing actually works. Why is it autorid does NOT function correctly? To be clear, rid works fine this is specific to autorid. If you are wondering why I would want autorid instead of rid that would be because autorid does not create a gid for every uid. Having a gid for every uid causes confusion with some permissions as it (more often than not) will grab the gid and assign it as a ACE when that gid does not truly exist.

 

[anodos]

Hi guys,
I've been using autorid on my other Linux installs for quite some time with SSSD. When I attempt to use autorid with FreeNAS though, it completely ignores the idmap and defers to the idmap used for the SMB shares. An example of that would be as follows:

idmap config mydomain: ignore builtin = yes
idmap config mydomain: read only = no
idmap config mydomain: rangesize = 20000
idmap config mydomain: range = 20000-80000000
idmap config mydomain: backend = autorid
idmap config *: range = 80000001-90000000
idmap config * : backend = tdb

Now this should mean that user elegant gets assigned an uid within the range for mydomain but it doesn't. Instead it gets assigned a uid within the range of *:

id elegant
uid=80000001(elegant) gid=80000005(domain users)

I've tried a variety of things but nothing actually works. Why is it autorid does NOT function correctly? To be clear, rid works fine this is specific to autorid. If you are wondering why I would want autorid instead of rid that would be because autorid does not create a gid for every uid. Having a gid for every uid causes confusion with some permissions as it (more often than not) will grab the gid and assign it as a ACE when that gid does not truly exist.

Caveat: not an idmap expert.
Isn't the autorid backend supposed to be set up as the default for all domain? I.e.

Code:

idmap config * : backend = autorid
idmap * : range = 1000000-1999999
idmap * : rangesize = 20000

It's possible that autorid by default looks for the range specified by idmap config * : range. How does the autogenerated smb4.conf file compare with the one in your other servers? Perhaps the python script that generates the smb4.conf file needs to make some specific changes if autorid is selected (i.e. make it cover the default domain "*" ).

 

[Elegant]

I use SSSD with AutoFS to access my shares on other servers not Samba. This is not an issue though as SSSD provides support for autorid using winbind's algorithm ldap_idmap_autorid_compat = True. I did some more digging, it's possible that it's related to this bug which is resolved in Samba 4.6. This could make some sense; it could explain why it then feels that defaulting to the * is a better choice since the range does not exist and has no need to be created (you might authenticate but it's already happy in it's own range).

Perhaps we'll know with the release of FreeNAS 11 (Samba 4.6.3)?

 

[anodos]

I use SSSD with AutoFS to access my shares on other servers not Samba. This is not an issue though as SSSD provides support for autorid using winbind's algorithm ldap_idmap_autorid_compat = True. I did some more digging, it's possible that it's related to this bug which is resolved in Samba 4.6. This could make some sense; it could explain why it then feels that defaulting to the * is a better choice since the range does not exist and has no need to be created (you might authenticate but it's already happy in it's own range).

Perhaps we'll know with the release of FreeNAS 11 (Samba 4.6.3)?

You could always test it out in a VM. :)

 

[Elegant]

I might; I'm out of space right now so I would just snapshot my VM and disable SSSD in favor of Samba for a test.