On 04/17/2013 08:05 PM, Russell Jones wrote:

On 4/17/2013 5:52 PM, Dmitri Pal wrote:
Slices are not given out by the clients.

Let me try to illustrate.
Imagine that your slices are storage containers in a storage facility.
Each slice has a number.
You come in and you want to use a container. Which one?
We then take you name, SSN, eye color, DOB etc. and hash. As a result we
get a number. This number is the number of your storage container.
Same here. The part of the SID is the unique identifier that identities
the domain. The hash of it will always have number X. This number will
always define which storage container (slice)  would be used for your
domain. There is a chance that some other domain would have the same
number but the probability is very low.

No you can configure how big slices are. The bigger the slice the
smaller the number of the slices. So X might map to a different
container if you start re-configuring things and reducing the width of
the slices.

HTH.


Thanks Dmitri!

By "given to the clients" I meant by the SSSD daemon. Sorry for the confusion with how I typed up my scenario. What I am not understanding is how setting the default domain in the configuration prevents non-deterministic handling of slice collisions. The man page states:

"NOTE: It is possible to encounter collisions in the hash and subsequent modulus. In these situations, we will select the next available slice, but it may not be possible to reproduce the same exact set of slices on other machines (since the order that they are encountered will determine their slice). In this situation, it is recommended to..... <snip> .....  configure a default domain to guarantee that at least one is always consistent."

I think it refers to the case when you have configured two domains in SSSD. A & B. The domains happen to produce colliding hashes (bad luck). Depending upon the order of users coming and authenticating either of the domains can be mapped to the right slice and the other one to the next available. On two machines with the same configuration the order of users logging can be different so different slices would be picked for the two domains. To prevent it we suggest explicitely configuring at least one of the domains to map to a specific slice.


How does having one domain always be slice 0 resolve the other domains possibly not being consistent? Or is the "at least" in the man page saying that users of the domain assigned to slice 0 will always have the same UID's, but not necessarily users in the other domains?

 

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/