Design flaw winbindd idmapping?

simo idra at samba.org
Thu Jul 13 15:40:10 GMT 2006


On Thu, 2006-07-13 at 17:16 +0200, Volker Lendecke wrote:
> On Thu, Jul 13, 2006 at 12:04:09AM -0400, simo wrote:
> > Can't you just use the values set in ad ?
> > I do not see where the conflict lies.
> 
> Winbind nested groups are local to the domain member or
> trusting DC and thus can very well conflict with the local
> groups on a domain controller. Maybe we really need a range
> separate for them.

You mean the local builtin groups or local machine SID groups ?
I think we should have a way to associate different idmap backends with
different configurations to different domains. This would handle this
case too, you will just need to configure things like:

BUILTIN:idmap_local:range=100-200
MACHINE_NAME:idmap_local:range=201-300
AD_DOMAIN:idmap_ad:range=301-400
TRUSTED_SAMBADOM:idmap_ldap,range=401-500,ldap url=ldap://1.2.3.4,ldap
dn=ldapuser:...

and so on ...

Simo

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list