PATCH: support for LDAP name<->SID lookups

Luke Howard lukeh at PADL.COM
Sat Aug 28 10:16:33 GMT 2004


>Some time ago I've deliberately taken this away from Samba 3. I wanted to
>reduce the call-outs to trusted DCs as much as possible. Samba asks only our
>own DC for name2sid and sid2name. In your specific problem this was not
>possible? I think if your own DC can't resolve names/sids of domains it trusts
>this will not be your worst problem.

True, the correct solution is to always use the naming RPCs. In our case
the RPC server is in its own address space, and CIFS encapsulated RPCs
are shunted using the DCE RPC funnel I posted here some time ago. The
problem with winbindd using this is that it will deadlock, as smbd calls
winbindd to create a user's token.

For us, the ideal solution is to make these RPCs over ncalrpc (domain
sockets), but in SAMBA 3 the CIFS and RPC code is too intertwined to
make this practical (although for an example of using the SAMBA 3 RPC
client library over domain sockets, check out the new auth_paula plugin
at http://www.padl.com/download/xad_oss_plugins.tar.gz).

In the end, name resolution over LDAP is an acceptable solution for us.

Another solution that would work would be to disable the code path that
does a SID or name lookup to figure out whether a POSIX identity is a
user or group or not (given our idmap_ad plugin already verifies this).
But I would rather not change core functionality to depend on specific
plugin behaviour.

The interesting thing is that I'm sure this used to work with SAMBA
3.0.1... I wonder how!

-- Luke



More information about the samba-technical mailing list