CVS update: samba/source/auth

[Andrew Bartlett]

On Mon, Jul 07, 2003 at 12:13:35AM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 7 Jul 2003 jerry at samba.org wrote:
> 
> > 
> > Date:	Mon Jul  7 05:11:09 2003
> > Author:	jerry
> > 
> > Update of /data/cvs/samba/source/auth
> > In directory dp.samba.org:/tmp/cvs-serv10743/auth
> > 
> > Modified Files:
> >       Tag: SAMBA_3_0
> > 	auth_util.c auth_winbind.c 
> > Log Message:
> > and so it begins....
> > 
> > * remove idmap_XX_to_XX calls from smbd.  Move back to the
> >   the winbind_XXX and local_XXX calls used in 2.2

Sorry to jump back right to the start of this thread - but while I have
objections to much of the rest of this, on review, this really is the nasty
part...

This isn't the calls we had in Samba 2.2 - this is a revertion to the ugly
hack the plagued Samba 3.0 up until idmap.  (I can say it is any ugly hack 
becouse I added it, to start vl on his vampire work, and I was very glad to 
get rid of it in favor of idmap).   

Samba 2.2 has a very simple function to so this - uid*2+1000.  Instead, for 
every sid->uid call, we are making nss and passdb calls all over the place, 
and if they fail (NIS outage etc) we fail the lookup.  This not only means
that SIDs (which can be almost arbitary on NT) are not valid/invalid depending
on the state of the network.  At least my previous code fall back to the 
algorithm.

Why can't we ask winbind to translate these SIDs - lookup the mapping that
might already exist (some other host might have given this SID a mapping in
idmap, and we want this to be consistant for NFS) and have it fall back to 
the algorithm if that has no mapping?  Or even allow this name-based mapping 
by option, giving sites that have an LDAP based idmap (using the user entries
as it now does) the option of a fast, tdb-cached lookup?

Andrew Bartlett