get_domain_user_groups() improvement.
Andrew Bartlett
abartlet at samba.org
Fri Sep 24 22:17:09 GMT 2004
On Sat, 2004-09-25 at 04:13, Igor Belyi wrote:
> Simo Sorce wrote:
>
> >On Thu, 2004-09-23 at 17:14, Igor Belyi wrote:
> >
> >
> >>Just to clarify the idea - pushing _all_ NSS calls from common pdbpass
> >>functions into backends and letting ldapsam backend assume that UNIX
> >>accounts and groups are in traditianal LDAP objects while keeping all
> >>other backends to use NSS calls is the right approach. Is that correct?
> >>
> >>
> >
> >no, sorry that is not correct.
> >There is always one account that do not obey that rule, that's root
> >(never seen anybody putting it into ldap, it is always in /etc/passwd).
> >And I've seen other environments that also use ldap only for samba user
> >part storage and not for unix user storage (no nss_ldap on the system).
> >
> >
>
> Then get_memberuids() is doomed. To get the list of all users whose
> primary group has a particular gid you need to either have their
> posixAccount in LDAP to allow filter to do the work or list all users
> via NSS as get_memberuids() function does now.
Unfortunately we are now so far into the 3.0 series that we can't
realistically break any 'working' configuration, no matter how much I
may feel it's brain-dead or otherwise ;-). Naturally, that didn't stop
the performance issue being introduced for correctness, but what we can
do is guard the fix with 'ldap trust ids' (or a better name) as a
smb.conf parameter.
Andrew Bartlett
--
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040925/44ed2bd7/attachment.bin
More information about the samba-technical
mailing list