sambaSID in the sambaSamAccount a good idea?
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Jun 24 20:21:19 GMT 2003
Hi!
I just ran into the following problem, which in retrospect is an
absolutely simple user error: I took an existing LDAP database with
sambaSamAccount objects and set up a new server with it. This simply
does not work as expected, at least I as a naive user had expected a
different result.
The new server had created a SID of its own, as it did not have a
secrets.tdb. So all the LDAP accounts were foreign to him, and idmap
happily allocated arbitrary uids to the LDAP users. So with this as a
PDC I could not join a domain with 'root' as the account 'root' was
mapped to uid 10000.
In this respect pdb_ldap and pdb_tdb behave differently, pdb_tdb only
stores the RID.
Ok, we definitely need to store the domain SID in LDAP. But I'm not sure
I like the idea that we have the complete SID attached to the user. I
think I would feel better with only the RID in it. We could make it
relative to the OU and the domain object in that OU or whatever, but
user objects with a complete SID? I'm not sure.
This does not mean that the sambaSID attribute does not have a value in
itself -- we will need it for a decent alias implementation.
Comments?
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030624/e43bdbc4/attachment.bin
More information about the samba-technical
mailing list