refactoring idmap code in smbd

Gerald (Jerry) Carter jerry at
Wed Jul 9 16:45:25 GMT 2003

Hash: SHA1

On Sun, 6 Jul 2003, Gerald (Jerry) Carter wrote:

> In exchange for removing all idmap calls from smbd, the forthcoming code 
> will
>   a)  go through winbindd for all uid/gid allocation


>   b)  complete the winbindd_passdb code to support
>       users not in /etc/passwd (for machine trust accounts and
>       for domain migration)

Tossed winbindd_passdb.c.  Didn't need it to support either 
reqwuirement (machine trust accounts or domain migration).

>   c)  group mapping will be supported both with and without winbindd

always handled by local_xxx() famlity of functions in smbd/uid.c

>   d)  algorithmic rid mapping will still exist in its current
>       (as a fallback mechanism controled by a parameter) and marked
>       as deprecated


>   e)  require the use of NSS with winbindd (this was a requirement
>       in the later 2.2 releases so we're not breaking backwards
>       compatibility)


The new code has been checked in.  Please see 
docs/README.idmap-and-winbind-changes in CVS for details.
I'm sure there will be a lot of discussion on this.

I'll give everyone time to digest the new design.
The code has been checked on 

  * domain members (running winbindd) of a Samba domain 
    and an AD domain

  * on a Samba PDC running winbindd with a 2-way trust 
    to an NT4 domain).  Includes domain joins and automatic
    creation of UNIX entities for machine trust accounts.

  * migrating an NT4 domain to a Samba PDC

  * standalone server

There are a couple of known issues:

  1) The user/group enumeration (getpwent()) for
     winbindd's acccount management functions is not done.

  2) The "delete user" and "delete group" functions are
     only stubb functions currently

  3) when 'winbind trusted domains only = yes' is set, acls
     show the user as LOCAL_MACHINE\user instead of DOMAIN\user
     on the the samba domain member.

cheers, jerry
 Hewlett-Packard            -------------------------
 SAMBA Team                 ----------------------
 GnuPG Key                  ----
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list