idra at samba.org
Tue Oct 3 18:54:37 GMT 2006
On Tue, 2006-10-03 at 20:50 +0200, Volker Lendecke wrote:
> On Tue, Oct 03, 2006 at 02:42:05PM -0400, simo wrote:
> > Samba Server A
> > Member of Domain ADOM
> > Samba Server B
> > Member of Domain BDOM
> > BDOM trusts ADOM but not the other way around
> > In thi case if you have a single allocation pool you can end up with
> > conflicts
> No, this does work now. The uid's and gid's are mixed for
> server B, and A would in theory be able to access ID mapping
> entries for SIDs it will never see, but so what. It does not
> care about those SIDs anyway.
It cares if they appear on a workstation and the user copies data from
one domain to the other.
> > If you have 2 allocation pools (one for BUILTIN and one for the domain
> > you are member of) you can configure things this way:
> > BUILTIN:tdb:500-1000
> > ADOM:ldap:10001-30000
> > BDOM:ldap:30001-50000
> And you will still need a *:ldap:50001-100000 for all
> domains you right now are not aware on.
I'd like to leave that decision to the admin (the default config will be
something like that normally).
> > note that on ServerB ADOM will be readonly so you cannot allocate in
> > that range as you are not trusted (think of locally managed branch
> > offices).
> No, I don't see how this can work. Use idmap_rid for this
Can't do that if ADOM has been working for a couple of years already and
you just happen to be willing to add support for BDOM
> What about the SIDs from ADOM that B sees and Samba
> server A happened to never have seen and thus has not put in
> mappings for?
B trusts ADOM so it will most probably see SIDs from there, and there is
always the case a workstation transfer files between domains.
> This is the admin chaos I talked about.
It may seem complex, but if you consider that the default case will
simply to have *:ldap:10000-50000 I think we are not making it too
complex for the average admin.
Samba Team GPL Compliance Officer
email: idra at samba.org
More information about the samba-technical