CVS update: samba/source/auth
Simo
idra at samba.org
Tue May 13 15:31:59 GMT 2003
Seem resonable, I'm ok with your proposal.
Do you have any comments on the idmap_ldap patch?
I have some doubt about using both sambaAccount and idmapEntry to store
the SID<->ugid mappings
I think we should use a unique objectclass, perhaps binding it to the
user when it exist.
Simo.
On Tue, 2003-05-13 at 16:42, Andrew Bartlett wrote:
> On Tue, 2003-05-13 at 05:11, Simo wrote:
> > atm, the only thing that does not work properly are non unix accounts,
> > all the rest should be fine.
>
> My proposal is this:
>
> We enable 'non unix accounts' by default, when the idmap range is set.
> However, until winbind_passdb is implemented - and for the case where
> it's implemented but not enabled - we will only allow machines to be
> added this way.
>
> Because we know the range of rids we are using is safe, and because ldap
> now properly increments this counter, I no longer consider it a hack.
> It has graduated to 'inspired' ;-)
>
> Note - the idmap changes have removed all 'only unix users in passdb'
> checks. A user may be in the passdb without being in /etc/passwd, and
> deleting a user from passdb will not 'implcitly' delete them from the
> SAM. This makes the ldap code much saner, in particular - and checking
> this can be a big performance hit.
>
> The intention is to leave a single check at login time for a valid unix
> account, but to otherwise require the admin to clean up both. (The rest
> of the time idmap will tell us the uid, without asking nss).
>
> > the distributed winbindd infrastructure is in place, we only miss the
> > idmap_ldap code, that's really trivial to do.
>
> A patch for this has been posted, btw.
>
> > the importance of idmap is to be able to add other pieces during 3.0
> > releases without having upgrade problems as much as we can.
>
> It also kills a potential performance nightmare in the old 3.0 sid->uid
> code.
>
> Andrew Bartlett
--
Simo Sorce - idra at samba.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it
More information about the samba-technical
mailing list