Commit my stuff to 3.0?

Andrew Bartlett abartlet at
Sun Oct 13 13:44:00 GMT 2002

Simo Sorce wrote:
> On Sun, 2002-10-13 at 15:13, Stefan (metze) Metzmacher wrote:
> > I think idmap is the right place. we should move it from nsswitch to an own
> > directory and make it plugable. (See Roadmap of 3_0: it is needed)
> I'm not sure we need it to be pluggable, please explain the benefits.

We should be able to store it in LDAP or TDB or ...  

LDAP storage (backed with TDB cache) kills off the nasty matter of
winbind uid sync/NFS, but has nasty problems if you LDAP server is
unreachable.  (Many sites will accept this however).

> > And let it map sid -> u/gids and u/gids -> sid.
> >
> > Maybe let it hold two contexts:
> why??
> > 1. for all trusted domains (and our domain if we are a member server)
> > uses
> > winbind uid =
> > winbind gid =
> >
> > to export mapping to unix (nss_winbind) and samba
> >
> > 2. for our local sam (witch is also the domain sam if we are a DC)
> > uses
> > idmap uid =
> > idmap gid =
> >
> > to export mappings to samba (and maybe later also to unix via winbind)
> Makes no sense, we need only a single idmap that handles all
> sid->[u,g]id [u,g]id->sid, splitting it into pieces is the most wrong
> thing we may do.

Well, we operate in 2 fundementally different modes:  Winbind based
users are fixed in SID, and we set the UID/GID.  Unix based users are
fixed in uid/gid and we allocate the SID.

I think this is what metze was meaning.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list