Design flaw winbindd idmapping?

simo idra at
Thu Jul 13 15:40:10 GMT 2006

On Thu, 2006-07-13 at 17:16 +0200, Volker Lendecke wrote:
> On Thu, Jul 13, 2006 at 12:04:09AM -0400, simo wrote:
> > Can't you just use the values set in ad ?
> > I do not see where the conflict lies.
> Winbind nested groups are local to the domain member or
> trusting DC and thus can very well conflict with the local
> groups on a domain controller. Maybe we really need a range
> separate for them.

You mean the local builtin groups or local machine SID groups ?
I think we should have a way to associate different idmap backends with
different configurations to different domains. This would handle this
case too, you will just need to configure things like:

TRUSTED_SAMBADOM:idmap_ldap,range=401-500,ldap url=ldap://,ldap

and so on ...


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at

More information about the samba-technical mailing list