CVS update: samba/source/auth

Simo idra at samba.org
Tue May 13 15:31:59 GMT 2003 

Seem resonable, I'm ok with your proposal.
Do you have any comments on the idmap_ldap patch?

I have some doubt about using both sambaAccount and idmapEntry to store
the SID<->ugid mappings

I think we should use a unique objectclass, perhaps binding it to the
user when it exist.

Simo.

On Tue, 2003-05-13 at 16:42, Andrew Bartlett wrote:
> On Tue, 2003-05-13 at 05:11, Simo wrote:
> > atm, the only thing that does not work properly are non unix accounts,
> > all the rest should be fine.
> 
> My proposal is this:
> 
> We enable 'non unix accounts' by default, when the idmap range is set. 
> However, until winbind_passdb is implemented - and for the case where
> it's implemented but not enabled - we will only allow machines to be
> added this way.
> 
> Because we know the range of rids we are using is safe, and because ldap
> now properly increments this counter, I no longer consider it a hack. 
> It has graduated to 'inspired' ;-)
> 
> Note - the idmap changes have removed all 'only unix users in passdb'
> checks.  A user may be in the passdb without being in /etc/passwd, and
> deleting a user from passdb will not 'implcitly' delete them from the
> SAM.  This makes the ldap code much saner, in particular - and checking
> this can be a big performance hit.
> 
> The intention is to leave a single check at login time for a valid unix
> account, but to otherwise require the admin to clean up both.  (The rest
> of the time idmap will tell us the uid, without asking nss).
> 
> > the distributed winbindd infrastructure is in place, we only miss the
> > idmap_ldap code, that's really trivial to do.
> 
> A patch for this has been posted, btw.  
> 
> > the importance of idmap is to be able to add other pieces during 3.0
> > releases without having upgrade problems as much as we can.
> 
> It also kills a potential performance nightmare in the old 3.0 sid->uid
> code.
> 
> Andrew Bartlett
-- 
Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it

More information about the samba-technical mailing list