Broken idmap interface design

Gerald (Jerry) Carter jerry at
Thu Apr 19 14:49:21 GMT 2007

Hash: SHA1


> On Thu, 2007-04-19 at 23:30 +1000, Luke Howard wrote:
>> Sorry to jump in here, one thing I'd like to see 
>> in idmap_ad is support for using the Global Catalog. Shouldn't
>> be too hard. Thoughts?
> Well IIRC rfc2307 attributes are not exposed via GC by 
> default, so to use it we must have fallback code in place.
> Not that hard, but I guess this is more of a 3.0.26 feature.
> I am working only to stabilize the code for offline
> usage right now.

It's actually worse than that.  The idmap interface is
badly broken.  I hate to say this, but the calls into
winbindd from the idmap child has to go.  I know how you
arrived at the design assumptions.

You designed the unixids_to_sids() and sids_to_unixids()
with the assumption that the idmap plugin would have
knowledge about the SID type.  I didn't catch this
because the backend I'm using for primary testing operates
similarly to idmap_ad and can obtain the SID type based
on LDAP searches.  This is ok for something like idmap_ad
which can get the information.  But the general and
default case is idmap_tdb (or even idmap_ldap).

Requiring the idmap_tdb code (or idmap_rid) to issues a
winbindd client call is wrong and a layering violation.  The
caller should specify the SID type which is exactly what
the WINBINDD_SID_TO_UID, et. al. calls used to do.

Right now I'm going to do several things in order to get
the code to a release point.

(a) Remove WINBINDD_SIDS_TO_XIDS from winbindd_nss.h to
    prevent us from having to support the broken call in
    future releases.  The existing idmap_methods API will
    not change but will become solely an internal interface
    used by winbindd.

(b) Overload the id_map.xid.type to be specified by the caller
    and not filled by the idmap backend.

(c) convert smbd back to the 3.0.24 method of mapping
    SIDs one by one to create the Unix token

Post 3.0.25 I'm going to rewrite the idmap query interface
to use a formal parameter list instead of the struct **id_map
in/out buffer and make it explicit that the caller is to
specify the SID type as part of the query.

It is likely that this will delay the 3.0.25.  Please don't make
any more changes to SAMBA_3_0_25/source/nsswitch/idmap*.[ch]
right now.  Thanks.

cheers, jerry
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list