Deprecated but still supported "idmap backend" actually is broken

Gerald (Jerry) Carter jerry at samba.org
Wed Oct 10 18:00:38 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dmitry Butskoy wrote:
> The "idmap backend" parameter is now deprecated, but it seems to be
> supported for a while.
> 
> Actually, for 3.0.26a, it is broken.
> 
> 
> Consider nsswitch/idmap.c:idmap_init() :
> 
> If "idmap domains" config is not used, then "dom_list =
> idmap_default_domain", but the last is just "default domain" string. As
> a result, when I specify "idmap backend = rid:FOO=1000-2000" (and leave
> "idmap domains" empty), the correspond domain name appears as "default
> domain", not "FOO" ... Then "getent passwd <uidnumber>" does not work
> etc...

"idmap backend = rid:FOO=1000-2000

This is incorrect syntax since it implies the trusted domain
patch which was never officially support.   If you just say
"idmap backend = rid" it should be ok IIRC the past research
we did into this.  If you want trusted domain supports for
the rid backend, you need to use the new idmap domains syntax.





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHDRNGIR7qMdg1EfYRAmwqAJoDw/DfMEM8UelluANK7q5dKMBhMACg3f5T
dUZwcwxr2GdcoiKnXH5+IhE=
=hJp2
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list