the end of unixsam, idmap future and other missives

Andrew Bartlett abartlet at
Wed Jan 29 13:26:33 GMT 2003

'it seemed like a good idea at the time...'

I've come to the conclusion that 'unixsam' has reached the end of it's
useful life.  And a short life it has been to.

Originally added as a way of moving the last of the 'fixed' uid->rid
translations into the passdb backends, and as a way of doing some
'name->sid' translations uniformly, the unixsam backend has also created
it's fare share of troubles....

In particular, it creates a real mess with the way the SAMR 'create
user' call works: the user doesn't really exist - we have no samba
attributes for that user - but the user does exist, and so the Windows
client does a 'modify password' not an 'add user'.  This means that the
real account control bits are never set - causing a bit of a mess
between some of the different types of trust accounts.

It also makes some of the 'net rpc vampire' stuff messier than it should

As such, we need to get the idmap stuff separated:
 - all SIDs should be algorithmicly mapped from their uid/gid, except: 
   - SIDs specifically entered in the IDMAP database
   - SIDs outside our local domain (ie our passdb).

 - We should try and make this as transparent as possible:
  - we should have a LDAP backend that maps the local domain to UIDs via
an ldap lookup on the 'rid' and 'uidnumber' attributes.
  - this should mean that existing NT->Samba migrations should 'just
 - We should have some way to move from the current TDB to an LDAP

 - All accounts would become 'non unix accounts', with idmap sorting
things out later.  (we could add a sid->uid->getpwuid() check in
critical places if required).
 - Adding an existing 'unix' account with smbpasswd, rpc etc would set
both the idmap and the pdb entry.  With LDAP they would actually be the
same record.

Hmm, after thinking about all this we might even be able to kill off
unixsam without all that - possibly just serving rids 500 and 501.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list