updated newidmap

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Oct 3 18:50:49 GMT 2006

On Tue, Oct 03, 2006 at 02:42:05PM -0400, simo wrote:
> Samba Server A
> Member of Domain ADOM
> Samba Server B
> Member of Domain BDOM
> BDOM trusts ADOM but not the other way around
> In thi case if you have a single allocation pool you can end up with
> conflicts

No, this does work now. The uid's and gid's are mixed for
server B, and A would in theory be able to access ID mapping
entries for SIDs it will never see, but so what. It does not
care about those SIDs anyway.

> If you have 2 allocation pools (one for BUILTIN and one for the domain
> you are member of) you can configure things this way:
> BUILTIN:tdb:500-1000
> ADOM:ldap:10001-30000
> BDOM:ldap:30001-50000

And you will still need a *:ldap:50001-100000 for all
domains you right now are not aware on.

> note that on ServerB ADOM will be readonly so you cannot allocate in
> that range as you are not trusted (think of locally managed branch
> offices).

No, I don't see how this can work. Use idmap_rid for this
setup. What about the SIDs from ADOM that B sees and Samba
server A happened to never have seen and thus has not put in
mappings for? This is the admin chaos I talked about.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20061003/d6e23eb0/attachment.bin

More information about the samba-technical mailing list