refactoring idmap code in smbd
Andrew_Esh at adaptec.com
Wed Jul 9 18:39:19 GMT 2003
Have you considered UID collisions other than UID 0? Right now, windbindd
simply has a range of IDs it can assign, which is configurable. It is
assumed the admin has given winbindd authority to use all of the IDs in that
range, and they have chosen the range so as not to collide with other ID
assignment authorities. Such a range may not always be enough, and the
assumption is usually wasteful of UID numbers.
For example, using a hash function for the potential Windows users from one
domain, converting their RIDs to UIDs, requires the entire Unix user ID
space be allocated to winbindd's use. I realize that there probably won't be
that many users in one domain, but then there are trusted domains. What
happens from an administrative standpoint when the range runs out?
The problem is this: The inclusion of UIDs from /etc/passwd, NIS, and
Trusted Domains leads to the need for a complex UID assignment function. Is
that going to be scriptable, because there doesn't appear to be a generic
solution to the problem.
From: Jeremy Allison [mailto:jra at samba.org]
Sent: Wednesday, July 09, 2003 12:06 PM
To: Gerald (Jerry) Carter
Cc: samba-technical at samba.org
Subject: Re: refactoring idmap code in smbd
Adding a password and group database source to winbindd allows
easy migration of existing NT SAM databases (all the new users/
sids get auto created by winbindd and are now seen by the rest
of the system), and also the creation of machine accounts without
having to have them in /etc/passwd (winbindd creates the entries
in its own db).
More information about the samba-technical