Deprecated but still supported "idmap backend" actually is broken

Gerald (Jerry) Carter jerry at
Wed Oct 10 18:00:38 GMT 2007

Hash: SHA1

Dmitry Butskoy wrote:
> The "idmap backend" parameter is now deprecated, but it seems to be
> supported for a while.
> Actually, for 3.0.26a, it is broken.
> Consider nsswitch/idmap.c:idmap_init() :
> If "idmap domains" config is not used, then "dom_list =
> idmap_default_domain", but the last is just "default domain" string. As
> a result, when I specify "idmap backend = rid:FOO=1000-2000" (and leave
> "idmap domains" empty), the correspond domain name appears as "default
> domain", not "FOO" ... Then "getent passwd <uidnumber>" does not work
> etc...

"idmap backend = rid:FOO=1000-2000

This is incorrect syntax since it implies the trusted domain
patch which was never officially support.   If you just say
"idmap backend = rid" it should be ok IIRC the past research
we did into this.  If you want trusted domain supports for
the rid backend, you need to use the new idmap domains syntax.

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list