On 4/16/2013 11:40 PM, Stephen Gallagher wrote:
In the default configuration of SSSD, we create 10,000 slices, each
capable of handling up to 200,000 IDs. When we see a new user/group
objectSID, we parse it into two pieces; the first seven components of
data in the objectSID (S-1-5-21-1289899112-135578405-1515013291)
identifies the domain that the user belongs to. What we do is take
this value and pass it through a hashing function. This hashing
function will give us a predictable slice ID, one of the 10,000 slices
we created at startup. This slice ID defines the base value for
UIDs/GIDs in that domain. So if your domain hashes to slice 20, in the
default configuration this means that the base ID value would be
(200,000 + 20*200,000) (ldap_idmap_range_min plus twenty times the
ldap_idmap_range_size value). or: 4200000
I'm guessing that you modified the idmap_range_min to be 100000
instead of the default 200000 (like I had originally recommended), and
that's why your range was starting at 4100000
Once we have the base ID value identified by the hashing algorithm, we
look at the remaining part of the objectSID, which is called the RID
(relative ID). We take this number and just use it as an offset from
the base ID value. So the end result is base_value + RID.
When you tweak the size of the idmap_range_*, it alters the total
number of slices that are available to the configuration, which means
that the hashing algorithm will end up returning a different slice
value. (In technical terms, after we hash the domain SID, we take its
modulus with the total available slices in order to figure out which
slice to assign it).
Thank you Stephen, that was very thorough and informative, much appreciated!
One additional question for you regarding how collisions are handled.
Reading the man page, I understand how they can happen, but I am not
understanding how configuring a default domain to ensure at least one is
always consistent in the slice it is given resolves the issue.
For arguments sake, if we have default domain "A", and normal domain
as slice 0 and 1 respectively on both clients 1 and 2, and then domain C
on client 1 and domain D on client 2 collide with their hash and are
both given the next available slice, slice 2, it seems like we would
still have a problem.
Where am I going wrong in my understanding of the scenario?