Design flaw winbindd idmapping?

simo idra at samba.org
Thu Jul 13 04:30:07 GMT 2006


While I still don't see your point, it came up to me that in the idmap
rewrite we may want to possibly have different idmap backend for
different domains.

For example we may be joined to an AD domain that trusts a samba domain.
We may want to use idmap_ad for the accounts on the AD domain while
using the unixinfo pipe or ldap for the samba domain. I understand that
this means the domains may end up to have overlapping uids/gids if
poorly managed. But this have to be controlled by the admins, we can
simply set "filter" ranges to help out admins not to mess up things too
much.

Simo.

On Thu, 2006-07-13 at 00:04 -0400, simo wrote:
> Can't you just use the values set in ad ?
> I do not see where the conflict lies.
> 
> Can you give an example?
> 
> Simo.
> 
> On Wed, 2006-07-12 at 22:09 -0500, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Guys,
> > 
> > I was thinking about winbind's nested group support and 
> > the idmap_ad plugin.  Seems to me that the two are incompatible.
> > What we need is a a gid range winbindd can use for groups and
> > then query AD for domain users and groups.  Make sense?
> > 
> > 
> > 
> > 
> > cheers, jerry
> > =====================================================================
> > Samba                                    ------- http://www.samba.org
> > Centeris                         -----------  http://www.centeris.com
> > "What man is a man who does not make the world better?"      --Balian
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.2 (GNU/Linux)
> > Comment: For info see http://quantumlab.net/pine_privacy_guard/
> > 
> > iD8DBQFEtblkIR7qMdg1EfYRAofBAJ4rdYgALfmyobVr8jlYobqPMfONBACdEWkq
> > 5ptATgKRF5JMPUxGsnUxisk=
> > =lX4N
> > -----END PGP SIGNATURE-----
-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list