make 'ldap trust ids' the default?

Andrew Bartlett abartlet at
Mon Nov 4 08:54:01 GMT 2002

On Mon, 2002-11-04 at 16:27, Steve Langasek wrote:
> On Sat, Nov 02, 2002 at 06:36:47PM +1100, Andrew Bartlett wrote:
> > I've just committed a patch that adds a new 'ldap trust ids' smb.conf
> > option.
> > Currently defaulting to off, this option allows pdb_ldap to use the ldap
> > server directly to determine if a user 'exists' in unix.
> > This gives us a performance boost, particularly on enumerations: 
> > (Removes the extra lookup per record).  
> > The logic is such that if there are no posixAccount attributes for a
> > user, we try getpwnam(), it's just that we look in LDAP first.
> > As such, do people think we should have this by default?  
> > This was a fix to solve some particular problems that metze had, and
> > I'll see if I can get some feedback on exactly how much this helps.
> This seems terribly kludgy to me.  There's a lot that can be done to
> optimize unix username lookups without violating the abstraction (e.g.,
> nscd).  I particularly don't think this should be used for anything that
> involves *enumerating* users, as the most frequent NSS configuration
> involving LDAP is to reference both LDAP *and* local files; so
> enumerating via the Unix calls may give different results than doing so
> via the LDAP calls.

We already break most NSS abstractions quite badly :-)

Enumeration occurs on the pdb users - ie the users we store in LDAP.  It
is not practical to enumerate unix (or even unixsam)users, particularly
when we might be running winbindd.

But indeed, this is a kludge.  Instead, we should not consult the unix
system at all - only mapping to unix IDs via an 'idmap' mechanism.  This
would imply that Samba's 'NT' database is the authoritive source of
users, not unix (which would have to use some nss module to gain access
to that information).

This is the design proposal for the 'new SAM', but for now we are stuck
with the pdb system, and we need to make it work.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list