[PATCH] New external idmap module
dave.daugherty at centrify.com
Wed May 31 19:32:15 GMT 2006
Wednesday, May 31, 2006 12:17 PM Simo Wrote:
> On Wed, 2006-05-31 at 21:17 +0200, Volker Lendecke wrote:
> > On Wed, May 31, 2006 at 03:07:47PM -0400, simo wrote:
> > > > What is the difference to doing it in the winbind idmap
> > > > child? What is the difference in the unix domain protocol to
> > > > the network protocol? Why implement two different protocols?
> > >
> > > The ability to provide a non-GPL compatible local daemon without
> > > performance hit of a secure protocol.
> > Ah, and you non-GPL local daemon has to do the signing work
> > anyway, so there is no advantage to separate that out.
> Not when you implement a cache in that daemon,
> but it is ok, for me, to go into the direction of having a secure tcp
> based communication protocol.
I suspect that everyone interested in this idmapper has a local cache.
So we will spend some time implementing the TCP, and perhaps no one will
ever use it this way.
For us we can easily use the GSS interface into MIT Kerberos for signing
packets. Hope this is acceptable. I suggest RC4 HMAC, or some other
enctype that does not required salt.
More information about the samba-technical