Meaning of 'idmap backend' ?

Simo Sorce simo.sorce at xsec.it
Tue Jul 1 08:47:15 GMT 2003 

On Tue, 2003-07-01 at 03:30, Andrew Bartlett wrote:
> How is this for a nasty situation:
> 
> Who owns the 'nobody' user.  We have decided that this belongs to the
> local SAM's 'guest' account, as we must have a guest, and they need a
> valid NT sid, and it really needs to end in -501.
> 
> However, what happens if 10 domain members, all with read-write access
> onto a central LDAP server, try to set the mapping between uid '99' and
> my-sid-xyz-501, for each different version of my-sid-xyz...
> 
> Andrew Bartlett

Well there are 2 possible solutions:

1. keep the possibility to have slightly different mappings under a
certain uid on the system, so that each system will have the Guest
mapped only locally.

2. Each system need a different nobody.


---

1. this is the easiest and most compatible way, but have also the
problem that xx-yyy-zzz-501 SIDs from other domains have problems to be
mapped.

2. This is really difficult to adopt on existing systems, not a problem
for new networks.

---

Now I think a middle time solution is:
Allow wellknow SIDs (and only them), like admin and guest users, and
admin, guest and users groups, to have multimappings, so that each
system have the same mapping for it's own wellknown users/groups.


In this scenario you have

uid 99 ->  special-prefix-501

aa-aa-aa-501 -> uid 99
bb-bb-bb-501 -> uid 99
cc-cc-cc-501 -> uid 99

when you ask for 99 you get only the mapping relative to your domain by
substituting special-prefix with your own domain prefix.

This is not a very nice solution but may be a good compromise.

Now I'll wait screams that debunk this crappy idea :-)

Simo.

-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Durando 10 Ed. G - 20158 - Milano
mobile: +39 329 328 7702
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030701/a813f429/attachment.bin

More information about the samba-technical mailing list