idra at samba.org
Tue Oct 3 15:46:23 GMT 2006
On Tue, 2006-10-03 at 17:39 +0200, Volker Lendecke wrote:
> On Tue, Oct 03, 2006 at 11:28:42AM -0400, simo wrote:
> > Uhmm this is a bet and need cooperation from other code.
> > What if we cannot lookup a trusted domain SID because a WAN link is down
> > and then we find out it was a user SID? We cannot retroactively change
> > the permissions set on disk.
> > Back in 2001 at Jermey's house (CIFS conf) I remember I already proposed
> > to always use a single range and alloc both a uid and a gid at the same
> > time and always use both the uid and the gid in file permissions, but
> > this was not accepted as Jeremy said it would have had a too big impact
> > on the ACL code.
> It will be intrusive, but if we mess with idmap we should
> get it right.
That's my desire too.
> P.S: I hope I don't sound like someone pushing back
> solutions because they are not 100%. I'm not saying that
> this is a really no-go, but I would like to see it done with
> that problem in mind.
To be honest that solution is my dream since at least 4-5 years :-)
But I don't want to mess too much with the current code.
The current idmap interface can be used for that purpose, once the rules
are all inside the IDmap code, it will be really easy to change the
current behavior to what you ask.
So if current design is ok, I'd propose to write down the new IDmap
implementation so that it is equivalent with the current behavior and
then when we are ok with it, discuss a bit further and eventually change
the allocation rules to do implement the unified Unix ID mapping and
change other code accordingly.
Samba Team GPL Compliance Officer
email: idra at samba.org
More information about the samba-technical