updated newidmap

[simo]

On Tue, 2006-10-03 at 20:34 +0200, Volker Lendecke wrote:
> On Tue, Oct 03, 2006 at 02:24:05PM -0400, simo wrote:
> > Ok this is more or less what I had in mind, only you have to consider
> > that you may have different ranges for different modules so in the end
> > it does not make sense to me to split it completely out.
> 
> I don't see the necessity to have different ranges that you
> can allocate from for separate domains. The only reason from
> my point of view to have backends per domain is the static
> ones like idmap_rid and idmap_ad. Having different pools to
> allocate from makes no sense I think, you will anyway need a
> general fallback pool if a SID passes by that does not match
> any domain you are aware of or you currently have
> configured. Separate pools lead to admin chaos.


Think of this scenario:

Samba Server A
Member of Domain ADOM

Samba Server B
Member of Domain BDOM

BDOM trusts ADOM but not the other way around

In thi case if you have a single allocation pool you can end up with
conflicts

If you have 2 allocation pools (one for BUILTIN and one for the domain
you are member of) you can configure things this way:


BUILTIN:tdb:500-1000
ADOM:ldap:10001-30000
BDOM:ldap:30001-50000

note that on ServerB ADOM will be readonly so you cannot allocate in
that range as you are not trusted (think of locally managed branch
offices).
And on ServerA any allocation made by ServerB for IDs out of 30001-50000
range will simply be ignored (so that the local branch office cannot
mess with the central server even if the admin does stupid things).

Simo.


-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org