On 04/17/2013 08:05 PM, Russell Jones wrote:
On 4/17/2013 5:52 PM, Dmitri Pal
Slices are not given out by the clients.
Let me try to illustrate.
Imagine that your slices are storage containers in a storage facility.
Each slice has a number.
You come in and you want to use a container. Which one?
We then take you name, SSN, eye color, DOB etc. and hash. As a result we
get a number. This number is the number of your storage container.
Same here. The part of the SID is the unique identifier that identities
the domain. The hash of it will always have number X. This number will
always define which storage container (slice) would be used for your
domain. There is a chance that some other domain would have the same
number but the probability is very low.
No you can configure how big slices are. The bigger the slice the
smaller the number of the slices. So X might map to a different
container if you start re-configuring things and reducing the width of
By "given to the clients" I meant by the SSSD daemon. Sorry for
the confusion with how I typed up my scenario. What I am not
understanding is how setting the default domain in the
configuration prevents non-deterministic handling of slice
collisions. The man page states:
"NOTE: It is possible to encounter
collisions in the hash and subsequent modulus. In these
situations, we will select the next available slice, but it may
not be possible to reproduce the same exact set of slices on
other machines (since the order that they are encountered will
determine their slice). In this situation, it is recommended
to..... <snip> .....
configure a default domain to guarantee that at least one is
I think it refers to the case when you have configured two domains
in SSSD. A & B. The domains happen to produce colliding hashes
(bad luck). Depending upon the order of users coming and
authenticating either of the domains can be mapped to the right
slice and the other one to the next available. On two machines with
the same configuration the order of users logging can be different
so different slices would be picked for the two domains. To prevent
it we suggest explicitely configuring at least one of the domains to
map to a specific slice.
How does having one domain always be slice 0 resolve the other
domains possibly not being consistent? Or is the "at least" in
the man page saying that users of the domain assigned to slice 0
will always have the same UID's, but not necessarily users in
the other domains?
sssd-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?