Discussion: Using sha256sum instead of md5sums and checking for overlapping pools #1
Description
I found this fun little helper and tried it. At first I was a bit wary because of using a shell script, but I guess any kind of flexibility would need some scripting language or would make the C code much more complicated.
Since we only ever have maybe 30 or so users that are granted access to these servers, and since sssd/AD produces IDs that are in the range of 1,908,000,000-2,000,000,000 , I adjusted the hashing line in /usr/local/sbin/nss_dynsubid a bit, so it would use sha256sum and only the last 8 places of the resulting integer. Otherwise I fear that the script could produce subid ranges that overlap with real UIDs, which, I gather, wouldn't be optimal.
I also produced this one-liner to help me check for overlapping subid ranges: It sorts by offset and calculates the upper end of the range. Afterwards it puts every number on it's on line and checks whether it's sorted. If it weren't you'd have an overlap. Of course this could be much nicer, but I didn't take time to write it out as a full script:
for i in `getent group <user group>| cut -d: -f4 |tr "," " "`; do a=1`printf "%8u" "0x$(id -u $i| sha256sum|head -c16)" | tail -c8`; echo $a:$((a+65535)); done |sort |tr ":" "\n" | sort -c
For your environment you might have to change the input of the for loop, and one might use either the script directly or the 'getsubids' tool instead of writing out the hashing portion but you get the idea...