svn commit: samba r12293 - in trunk/source/utils: .

Simo Sorce idra at
Sat Dec 17 10:15:28 GMT 2005

On Sat, 2005-12-17 at 11:06 +0100, Volker Lendecke wrote:
> On Sat, Dec 17, 2005 at 10:50:34AM +0100, simo wrote:
> > I completely agree with you. The failed attempt of idmap (the part that
> > didn't survived) work initially done was to reach most of the objectives
> > stated here, convert once and in a central place to avoid mistakes and
> > help keeping the core of resolutions as early and as correct as
> > possible.
> Idmap maybe tried to solve the wrong problem (no offense intended ;-)),

no offense, it missed part of the problem, but the general idea behind
it stands imho.

> sid2uid/gid is easy once lookup_name/sid can reliably tell you what type of
> object we're talking about. Where to look is also easy by looking at the SID.


> Is it builtin, our own domain or somewhere else?
> > Agreed, the current situation can be enhanced a lot by your proposal,
> > better to break a few installations but have a better resolution
> > mechanism, that will pay in the long term imho.
> Breaking installation is tough I think and needs to be prepared *very* well. I
> just thought about an internal flag to lookup_name that indicates to skip the
> pdb_getpwnam in the lookup_global_sam_name. We can't break the valid users =
> @group case, probably never. But having this "legacy" hack well-encapsulated
> might be much better than what we have now.

I'm not saying we should break installations without deep thoughts. And
I know our mess is 90% about backwards compatibility problems anyway.
we can certainly never break valid users or any other security sensitive
commands, but I'm sure we will find out a way to do that properly.


Simo Sorce    -  idra at
Samba Team    -
Italian Site  -

More information about the samba-technical mailing list