get_domain_user_groups() improvement.

Fri Sep 24 22:17:09 GMT 2004

On Sat, 2004-09-25 at 04:13, Igor Belyi wrote:
> Simo Sorce wrote:
> 
> >On Thu, 2004-09-23 at 17:14, Igor Belyi wrote:
> >  
> >
> >>Just to clarify the idea - pushing _all_ NSS calls from common pdbpass 
> >>functions into backends and letting ldapsam backend assume that UNIX 
> >>accounts and groups are in traditianal LDAP objects while keeping all 
> >>other backends to use NSS calls is the right approach. Is that correct?
> >>    
> >>
> >
> >no, sorry that is not correct.
> >There is always one account that do not obey that rule, that's root
> >(never seen anybody putting it into ldap, it is always in /etc/passwd).
> >And I've seen other environments that also use ldap only for samba user
> >part storage and not for unix user storage (no nss_ldap on the system).
> >  
> >
> 
> Then get_memberuids() is doomed. To get the list of all users whose 
> primary group has a particular gid you need to either have their 
> posixAccount in LDAP to allow filter to do the work or list all users 
> via NSS as get_memberuids() function does now.

Unfortunately we are now so far into the 3.0 series that we can't
realistically break any 'working' configuration, no matter how much I
may feel it's brain-dead or otherwise ;-).  Naturally, that didn't stop
the performance issue being introduced for correctness, but what we can
do is guard the fix with 'ldap trust ids' (or a better name) as a
smb.conf parameter.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040925/44ed2bd7/attachment.bin