updated newidmap

simo idra at samba.org
Tue Oct 3 18:54:37 GMT 2006 

On Tue, 2006-10-03 at 20:50 +0200, Volker Lendecke wrote:
> On Tue, Oct 03, 2006 at 02:42:05PM -0400, simo wrote:
> > Samba Server A
> > Member of Domain ADOM
> > 
> > Samba Server B
> > Member of Domain BDOM
> > 
> > BDOM trusts ADOM but not the other way around
> > 
> > In thi case if you have a single allocation pool you can end up with
> > conflicts
> 
> No, this does work now. The uid's and gid's are mixed for
> server B, and A would in theory be able to access ID mapping
> entries for SIDs it will never see, but so what. It does not
> care about those SIDs anyway.

It cares if they appear on a workstation and the user copies data from
one domain to the other.

> > If you have 2 allocation pools (one for BUILTIN and one for the domain
> > you are member of) you can configure things this way:
> > 
> > 
> > BUILTIN:tdb:500-1000
> > ADOM:ldap:10001-30000
> > BDOM:ldap:30001-50000
> 
> And you will still need a *:ldap:50001-100000 for all
> domains you right now are not aware on.

I'd like to leave that decision to the admin (the default config will be
something like that normally).

> > note that on ServerB ADOM will be readonly so you cannot allocate in
> > that range as you are not trusted (think of locally managed branch
> > offices).
> 
> No, I don't see how this can work. Use idmap_rid for this
> setup.

Can't do that if ADOM has been working for a couple of years already and
you just happen to be willing to add support for BDOM

> What about the SIDs from ADOM that B sees and Samba
> server A happened to never have seen and thus has not put in
> mappings for?

B trusts ADOM so it will most probably see SIDs from there, and there is
always the case a workstation transfer files between domains.

> This is the admin chaos I talked about.

It may seem complex, but if you consider that the default case will
simply to have *:ldap:10000-50000 I think we are not making it too
complex for the average admin.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba-technical mailing list