[PATCH] New external idmap module

simo idra at samba.org
Wed May 31 16:41:11 GMT 2006

On Wed, 2006-05-31 at 18:18 +0200, Volker Lendecke wrote:
> On Wed, May 31, 2006 at 09:12:20AM -0700, Dave Daugherty wrote:
> > Some Administrators want to control exactly who gets to access the Samba
> > servers, and having an easy way to remove their access when they quit.
> > Being able to control who has mappings turns out to be a convenient way
> > to do this, or at least is extra insurance.
> Have you seen 'net idmap delete'? This is deliberately
> undocumented because I see it as dangerous, but it does
> exactly what you want.

Idmap delete does it, but for one server at a time.
If you have 100 servers, you will be required to log into 100 servers
and run it each time you remove a mapping, this is error prone.

If you want to automate it it means you have to run something on each
server that regularly:
1) retrieve the current mapping (eg with idmap dump)
2) run a query against the mapping storage for all the known mappings
3) diff the 2 lists
4) remove any mapping that is missing with idmap delete

This way you achieve the same effect, but you need a second daemon or
cron job and you need to hit the central store not on demand but
regularly from multiple servers.
It does not scale well imho.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba-technical mailing list