refactoring idmap code in smbd

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 10 16:01:59 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 10 Jul 2003, Gerald (Jerry) Carter wrote:

> I don't care if you want to code up a winbindd_passdb backend.  I don't
> care if you check it into the tree.  But it will not be the default
> behavior.  At least not initially.  And it better not be any more
> invasive to winbindd than the rpc_methds or ads_methods.

Simo and I have had a long chat on #samba-technical.  The one point
that has been left out of the winbindd_passdb discussion.
While Simo might disagree with this assessment, winbindd_passdb+idmap
is an attempt to remove the need for an 'adduser script' altogether.

Think of the current implementation of samr_create_user().

  does user exist in passdb?  if yes fail ALREADY_EXISTS)
  does unix user by this name exist?  
    no? - call adduser_script() or winbind_create_user()
    still no user?  Fail.
  unix user exists now so add to passdb.

The new code with winbindd_passdb would be

  does user exist in passdb?  if yes fail ALREADY_EXISTS)
  add user to passdb (idmap would allocate a uid for you)

The problems for the 3.0 release was that we only had idmap.  
You really need both of these things to go hand in hand to make 
sense.  

So now we have one working implementation (in current code) and 
one on paper (winbindd_passdb+idmap).

So beyond 3.0, we can revisit this.  Whether winbindd_passdb 
is the right thing to do or not, is unknown.  And which competing 
solution will be in future versions of Samba is also unknown.  I 
think we would all agree that having 3.0 out the door so we _can_ 
move on is what's best right now.  

> But you don't need to do this.  I have a gut feeling that
> winbindd_passdb was based out of the assumption that you couldn't run
> winbindd on a Samba PDC as a domain member.  Since we know that is not
> the case, why bother with passdb?  Why not just use the rpc functions
> already used as a member of any domain?

scratch this argument.  It is invalid and will loop.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/DY33IR7qMdg1EfYRAl80AJ9AYPw1RPyPQ4XWAkHN05HI8y+oKACcCFsT
ZHBV/rMoNWZyBSL1dzOK6Z4=
=Ws/T
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list