Meaning of 'idmap backend' ?
Andrew Bartlett
abartlet at samba.org
Tue Jul 1 01:30:33 GMT 2003
On Tue, 2003-07-01 at 01:56, Simo Sorce wrote:
> On Mon, 2003-06-30 at 17:18, Volker Lendecke wrote:
> > Hi!
> >
> > In trying to understand the IDMAP, the concept of a remote IDMAP
> > somewhat puzzles me, at least as far as it is coded and commented:
> >
> > Who is authoritative for mappings? Is it the local (or cache or
> > whatever) map? If this is the case then I don't see how the BDC
> > situation is decently handled. Simo, you had confirmed that you took
> > care of that decently.
>
> The idea is that if you have a remote mapping, then that is the
> authoritative one.
> The remote mapping maybe a centralized idmap (code not done yet), or a
> centralized LDAP server.
> Currently it serves also winbind but that's to keep compatibility, it's
> not the right way to go for future development.
>
> In future development I think we should move the "remote/authoritative"
> functionality into winbind, so that we can avoid abusing resources.
> Winbind can effectively handle a single ldap connection or any other
> mechanism and also provide more information to determine the SID mapping
> (UID or GID?) in some cases.
smbd will now always ask winbindd for the 'remote' stuff. This means
that it breaks if smbd tries to 'set' a mapping, as we don't have that
code in the winbind idmap module.
Indeed, I think it's the fact that this is broken that might be
preventing some of the lockups I'm so worried about :-).
> > Looking at idmap_set_mapping confuses me even more. We first update the
> > local mapping and then try to update the remote one with a puzzling
> > comment:
> >
> > /* Being able to update the remote cache is seldomly right.
> > Generally this is a forbidden operation. */
> >
> > So who does ever update the remote mapping?
> >
> > *confused*
>
> Well the idea is that you generally ask for a mapping to the
> remote/authoritative map. When you ask for a mapping the remote map will
> actually do the map for you and come back with the result.
> On a client of a centralized idmap you should set arbitrary mappings
> only on the master not on a client (that's the source of the comment).
>
> The idea is that you should have a control mechanism that make the
> central idmap admin decide if remote servers can add mappings, in that
> case remote servers will be able to push mappings, otherwise a
> set_mapping on client idmap server should not be able to push the
> mapping.
>
> Currently you are entitled to set the mapping locally even if the remote
> backend does not to be able to use the winbind_idmap hack.
>
> It's not the nicer thing on earth but it works just now, I know we need
> to improve that mechanism.
How is this for a nasty situation:
Who owns the 'nobody' user. We have decided that this belongs to the
local SAM's 'guest' account, as we must have a guest, and they need a
valid NT sid, and it really needs to end in -501.
However, what happens if 10 domain members, all with read-write access
onto a central LDAP server, try to set the mapping between uid '99' and
my-sid-xyz-501, for each different version of my-sid-xyz...
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030701/f30b5fe2/attachment.bin
More information about the samba-technical
mailing list