[PATCH] New external idmap module
simo
idra at samba.org
Wed May 31 16:41:11 GMT 2006
On Wed, 2006-05-31 at 18:18 +0200, Volker Lendecke wrote:
> On Wed, May 31, 2006 at 09:12:20AM -0700, Dave Daugherty wrote:
> > Some Administrators want to control exactly who gets to access the Samba
> > servers, and having an easy way to remove their access when they quit.
> > Being able to control who has mappings turns out to be a convenient way
> > to do this, or at least is extra insurance.
>
> Have you seen 'net idmap delete'? This is deliberately
> undocumented because I see it as dangerous, but it does
> exactly what you want.
Idmap delete does it, but for one server at a time.
If you have 100 servers, you will be required to log into 100 servers
and run it each time you remove a mapping, this is error prone.
If you want to automate it it means you have to run something on each
server that regularly:
1) retrieve the current mapping (eg with idmap dump)
2) run a query against the mapping storage for all the known mappings
3) diff the 2 lists
4) remove any mapping that is missing with idmap delete
This way you achieve the same effect, but you need a second daemon or
cron job and you need to hit the central store not on demand but
regularly from multiple servers.
It does not scale well imho.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list