Bug 44549 - ID mapping range for "*" is not configurable
ID mapping range for "*" is not configurable
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks: 44560
  Show dependency treegraph
 
Reported: 2017-05-05 17:01 CEST by Jens Thorp-Hansen
Modified: 2017-05-24 10:48 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017050521000171
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Thorp-Hansen univentionstaff 2017-05-05 17:01:01 CEST
The ID mapping range for "*" is not configurable, while the range for the domain ID mapping is. Both should not overlap, but if you set the domain mapping range via: 

# ucr set samba/idmap/<domain>/range='1000-549999'

this happens at once since you _cannot_ set also this:

# ucr set 'samba/idmap/*/range'='550000-640000'

(you would have to change the following snippet from the template):

print '\tidmap config * : backend\t= ldap'
--> print '\tidmap config * : range\t\t= 55000-64000'
print '\tidmap config * : ldap_url\t= ldap://%s' % ' ldap://'.join(ldapserver)
print '\tidmap config * : ldap_user_dn\t= %s' % (admindn)
## print '\tidmap config * : ldap_base_dn\t= cn=idmap,cn=univention,%s' % (ldap_base)

# replacement for deprecated samba/winbind/trusted/domains/only=yes
if configRegistry.get('windows/domain'):
        mydomain=configRegistry['windows/domain'].upper()
        defaultrange = '1000-54999'
        # try uppercase domain, then allow for lowercase, otherwise use defaultrange
        range = configRegistry.get('samba/idmap/%s/range' % mydomain, configRegistry.get('samba/idmap/%s/range' % mydomain.lower(), defaultrange))
        print '\tidmap config %s : backend = nss' % (mydomain, )
        print '\tidmap config %s : range = %s' % (mydomain, range)
        ### </idmap config v6 for Samba 3.6.0>

---------------------------------------------------------------------------------

The template should look like this:

--> default_range = configRegistry.get('samba/idmap/*/range', '55000-64000')
print '\tidmap config * : backend\t= ldap'
--> print '\tidmap config * : range\t\t= %s' % default_range
print '\tidmap config * : ldap_url\t= ldap://%s' % ' ldap://'.join(ldapserver)
print '\tidmap config * : ldap_user_dn\t= %s' % (admindn)
 ## print '\tidmap config * : ldap_base_dn\t= cn=idmap,cn=univention,%s' % (ldap_base)
Comment 1 Felix Botner univentionstaff 2017-05-05 17:11:14 CEST
This is important for samba memberserver's as the gid/uid<->SID mapping is done via winbind but the default range for the Domain has a range from 1000-54999. As soon as the uidNumber/guiNumber goes beyond 54999 (which is not unlikely in school environments) gid/uid<->SID mapping is broken.
Comment 2 Felix Botner univentionstaff 2017-05-09 12:27:57 CEST
added samba/idmap/range (samba/idmap/*/range is not allowed by ucslint :-( )

univention-samba: r79233
staging/univention-samba.yaml
Comment 3 Arvid Requate univentionstaff 2017-05-22 20:53:43 CEST
Ok, works:

ucr set samba/idmap/$(ucr get windows/domain)/range=1000-549999 \
        samba/idmap/range=550000-640000

I've added a note to the advisory explaining the purpose of this new variable.
Comment 4 Janek Walkenhorst univentionstaff 2017-05-24 10:48:03 CEST
<http://errata.software-univention.de/ucs/4.2/19.html>