Observing ID mapping with DTrace
Want to see how idmapd maps some Windows SID to a Unix UID/GID? The idmap(1M)
command does provide some degree of observability via the -v
option to the show
sub-command, but not nearly enough. Try this DTrace script.
The script is not complete, and, most importantly, is not remotely stable, as it uses pid provider probes on internal functions and encodes knowledge of private structures, all of which can change without notice. But it does help a lot! Not only does it help understand operational aspects of ID mapping, but also idmapd’s internals. And, happily, it points the way towards a proper, stable USDT provider for idmapd.
Folks who’ve seen the RPE TOI for ID mapping will probably wish that I’d written this months ago, and used it in the TOI presentation :)
Running the stress tests on idmapd with this script running produces an enormous amount of output, clearly showing how the asynchronous Active Directory LDAP searches and search results are handled.