CVS update: samba/source/auth

Andrew Bartlett abartlet at samba.org
Tue May 13 14:42:41 GMT 2003 

On Tue, 2003-05-13 at 05:11, Simo wrote:
> atm, the only thing that does not work properly are non unix accounts,
> all the rest should be fine.

My proposal is this:

We enable 'non unix accounts' by default, when the idmap range is set. 
However, until winbind_passdb is implemented - and for the case where
it's implemented but not enabled - we will only allow machines to be
added this way.

Because we know the range of rids we are using is safe, and because ldap
now properly increments this counter, I no longer consider it a hack. 
It has graduated to 'inspired' ;-)

Note - the idmap changes have removed all 'only unix users in passdb'
checks.  A user may be in the passdb without being in /etc/passwd, and
deleting a user from passdb will not 'implcitly' delete them from the
SAM.  This makes the ldap code much saner, in particular - and checking
this can be a big performance hit.

The intention is to leave a single check at login time for a valid unix
account, but to otherwise require the admin to clean up both.  (The rest
of the time idmap will tell us the uid, without asking nss).

> the distributed winbindd infrastructure is in place, we only miss the
> idmap_ldap code, that's really trivial to do.

A patch for this has been posted, btw.  

> the importance of idmap is to be able to add other pieces during 3.0
> releases without having upgrade problems as much as we can.

It also kills a potential performance nightmare in the old 3.0 sid->uid
code.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030514/5bb1e4f6/attachment.bin

More information about the samba-technical mailing list