[PATCH] New external idmap module

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed May 31 07:57:50 GMT 2006 

On Tue, May 30, 2006 at 06:58:34PM -0400, simo wrote:
 
> You can't seriously call that an RPC method, it is a very trivial
> communication protocol, and it need to be simple because we do not need
> to extend it nor to pass any fancy data in it.

I see it as an RPC method. A client (winbind) calls an
operation (Please give me a uid for this SID) to a Server
(the Vintela central daemon). I don't want to look up the
definition of RPC in Wikipedia, but I would pretty much
assume that this meets the definition of RPC.

> I am following a KISS approach.

Matthew Mastracci's module: 261 lines, your module: 863
lines. And Matthew's module does not have to touch other
modules.

> I can even strip out the tcp support if it makes you happier, I do not
> really need it, I just thought it was nice to have a way to make it
> SIMPLE to chare mappings without the need to set up an openLdap server
> which is very difficult for many admins.

This is a point of opinion here: I do not want to make it
easy for admins to set up broken configurations. And I still
see the ability to change existing mappings at will as a
broken configuration. This is one of the reasons why I do
not like 'net groupmap'. I have been at customers with very
hard to track down problems that turned out to be broken
group mappings. This is why I created a more restrictive
tool 'net sam'. It does not make it as easy to shoot
yourself in the foot.

We are living with the idea of a mapping being static once
it's established and have assumptions about that in the
code. See for example this smbd in-memory cache. We would
have to add a notification mechanism to smbd to throw away
its cache. Yes, this is just a tiny part of code using the
messaging system but I fear that we get races all over the
place.

I would not complain about this particular feature of the
module you propose if I did not see an alternative: Remove
winbindd_idmap.tdb and restart Samba.

> No you can't, not always, and you still will have to solve the problem
> of feeding the master smbd server, 

Sure, but the unixinfo pipe is not fully done yet.

> and it will be a single point of failure etc...

So you want to add failover support to your module? We are
going to go through great pains selecting and connecting to
a domain controller. See the latest checkins to winbind.
From my point of view this is a really hard problem, but
your mileage may vary here.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060531/ecfbff2a/attachment.bin

More information about the samba-technical mailing list