abartlet at samba.org
Mon Oct 4 03:50:15 GMT 2004
On Mon, 2004-10-04 at 03:06, Volker.Lendecke at SerNet.DE wrote:
> On Fri, Sep 24, 2004 at 07:00:08AM +1000, Andrew Bartlett wrote:
> > My feeling is that we can push all NSS calls that regard groups into
> > such a mechanism, without difficulty. Other calls are more marginal -
> > we should look at the pointy-end (large numbers of users/groups)
> > performance implications of each call.
> If I understand the problem at hand correctly, this all revolves around the
> lack of a nss_givemealluserswiththisprimarygid() call, right? If this is
> correct, why not throw away nss_ldap and have winbind handle that. nss_ldap
> can't be that complicated, and we have ldap code in winbind anyway. Then from
> smbd we could scan nss with winbindd_off() and directly ask winbind for the
> rest, this time with a direct and more explicit call.
As much as I argued for this option for so, so long, I don't think it's
viable here, in short term. In the short term we are just trying to
make Samba 'not suck', while being accurate since your changes... ;-)
One other point that needs to be watched on this patch is that we can't
assume the primaryGroupID is present, and I would prefer to be sceptical
about it's accuracy. I think the search should be on the unix GID,
guarded by a suitable option. (And make the primaryGroupID default off
the unix primary group again, guarded by the same option).
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041004/ae7e5a72/attachment.bin
More information about the samba-technical