refactoring idmap code in smbd
Andrew Bartlett
abartlet at samba.org
Thu Jul 10 07:59:59 GMT 2003
On Thu, Jul 10, 2003 at 06:16:23AM +0000, Jeremy Allison wrote:
> On Thu, Jul 10, 2003 at 01:31:22AM +0000, Andrew Bartlett wrote:
> >
> > If it was just unix uid and groups then I would be quite happy with it - but
> > now we have duplication of information - both the SAM and winbind have
> > independent ideas of what a user's unix username is, and what their full name
> > is. When a user is added or deleted from the SAM, winbind might not be told
> > (pdbedit with winbind shut down, for example), and there appears to be no
> > way to keep the other details (full name etc) in sync.
>
> Rephrase this as "both the SAM and /etc/passwd have
> independent ideas of what a users' unix uusername
> is, and what their full name is" and
> you'll see why this arguement is specious...
So when we update a user's full name with user manager, we are happy to
just leave the nsswtich data stale? All other winbind users get updated - why
should users on a Samba PDC be made different?
Likewise, we have the very real issue of account renaming - this happens
particularly when we have a member server that changes it's name. Currently
we are unable to support this - and this deigin makes it harder - not easier.
(Users in trusted domains area easily renamed - as we only store the SID->UID
mapping)
> We've worked like this for 9 years. It's how
> Samba works...
Except the samba we have now is not the Samba we started with - and I think
that is a very good thing. We also now have a very clear idmap (at lest it was
clear), which is SID based. By putting usernames back into the mix, we have
the very real risk of inconsistant mappings - as some go by sid (NT ACLs)
and some go by name (logins) but we never double check them both.
Particularly due to case senstivity and domain qualification issues, username
based mappings have been phased out of Samba 3.0. (Until now at least...)
Andrew Bartlett
More information about the samba-technical
mailing list