Design flaw winbindd idmapping?
simo
idra at samba.org
Thu Jul 13 15:40:10 GMT 2006
On Thu, 2006-07-13 at 17:16 +0200, Volker Lendecke wrote:
> On Thu, Jul 13, 2006 at 12:04:09AM -0400, simo wrote:
> > Can't you just use the values set in ad ?
> > I do not see where the conflict lies.
>
> Winbind nested groups are local to the domain member or
> trusting DC and thus can very well conflict with the local
> groups on a domain controller. Maybe we really need a range
> separate for them.
You mean the local builtin groups or local machine SID groups ?
I think we should have a way to associate different idmap backends with
different configurations to different domains. This would handle this
case too, you will just need to configure things like:
BUILTIN:idmap_local:range=100-200
MACHINE_NAME:idmap_local:range=201-300
AD_DOMAIN:idmap_ad:range=301-400
TRUSTED_SAMBADOM:idmap_ldap,range=401-500,ldap url=ldap://1.2.3.4,ldap
dn=ldapuser:...
and so on ...
Simo
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list