svn commit: samba r12293 - in trunk/source/utils: .
idra at samba.org
Sat Dec 17 10:15:28 GMT 2005
On Sat, 2005-12-17 at 11:06 +0100, Volker Lendecke wrote:
> On Sat, Dec 17, 2005 at 10:50:34AM +0100, simo wrote:
> > I completely agree with you. The failed attempt of idmap (the part that
> > didn't survived) work initially done was to reach most of the objectives
> > stated here, convert once and in a central place to avoid mistakes and
> > help keeping the core of resolutions as early and as correct as
> > possible.
> Idmap maybe tried to solve the wrong problem (no offense intended ;-)),
no offense, it missed part of the problem, but the general idea behind
it stands imho.
> sid2uid/gid is easy once lookup_name/sid can reliably tell you what type of
> object we're talking about. Where to look is also easy by looking at the SID.
> Is it builtin, our own domain or somewhere else?
> > Agreed, the current situation can be enhanced a lot by your proposal,
> > better to break a few installations but have a better resolution
> > mechanism, that will pay in the long term imho.
> Breaking installation is tough I think and needs to be prepared *very* well. I
> just thought about an internal flag to lookup_name that indicates to skip the
> pdb_getpwnam in the lookup_global_sam_name. We can't break the valid users =
> @group case, probably never. But having this "legacy" hack well-encapsulated
> might be much better than what we have now.
I'm not saying we should break installations without deep thoughts. And
I know our mess is 90% about backwards compatibility problems anyway.
we can certainly never break valid users or any other security sensitive
commands, but I'm sure we will find out a way to do that properly.
Simo Sorce - idra at samba.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it
More information about the samba-technical