refactoring idmap code in smbd

Gerald (Jerry) Carter jerry at samba.org
Wed Jul 9 16:45:25 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 6 Jul 2003, Gerald (Jerry) Carter wrote:

> In exchange for removing all idmap calls from smbd, the forthcoming code 
> will
> 
>   a)  go through winbindd for all uid/gid allocation

done.

>   b)  complete the winbindd_passdb code to support
>       users not in /etc/passwd (for machine trust accounts and
>       for domain migration)

Tossed winbindd_passdb.c.  Didn't need it to support either 
reqwuirement (machine trust accounts or domain migration).

>   c)  group mapping will be supported both with and without winbindd

always handled by local_xxx() famlity of functions in smbd/uid.c

>   d)  algorithmic rid mapping will still exist in its current
>       (as a fallback mechanism controled by a parameter) and marked
>       as deprecated

done.

>   e)  require the use of NSS with winbindd (this was a requirement
>       in the later 2.2 releases so we're not breaking backwards
>       compatibility)

done.

The new code has been checked in.  Please see 
docs/README.idmap-and-winbind-changes in CVS for details.
I'm sure there will be a lot of discussion on this.

I'll give everyone time to digest the new design.
The code has been checked on 

  * domain members (running winbindd) of a Samba domain 
    and an AD domain

  * on a Samba PDC running winbindd with a 2-way trust 
    to an NT4 domain).  Includes domain joins and automatic
    creation of UNIX entities for machine trust accounts.

  * migrating an NT4 domain to a Samba PDC

  * standalone server


There are a couple of known issues:

  1) The user/group enumeration (getpwent()) for
     winbindd's acccount management functions is not done.

  2) The "delete user" and "delete group" functions are
     only stubb functions currently

  3) when 'winbind trusted domains only = yes' is set, acls
     show the user as LOCAL_MACHINE\user instead of DOMAIN\user
     on the the samba domain member.





cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/DEalIR7qMdg1EfYRAouWAJ0Y/H3aQJ0esihANz3HRstK/Lux1ACdGmXI
zj42boMO67KMbrLdFdzomWA=
=pske
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list