Deprecated but still supported "idmap backend" actually is broken

simo idra at
Fri Oct 12 15:12:38 GMT 2007

On Fri, 2007-10-12 at 19:04 +0400, Dmitry Butskoy wrote:
> simo wrote:
> > I am still building packages to test but if you want to give it a try
> > you'll find attached my first take
> >   
> The patch should be fixed a little.
> When we change the idmap dom name from the "default domain" to the name 
> of the actual primary domain (lp_workgroup()), it leads the "trusted 
> domains only" feature no more work. (IOW the case of idmap_nss "hidden" 
> backend).
> Consider a case, when we:
> - do not specify any idmap backends or idmap domains at all;
> - and specify "winbind trusted domains only = yes" (for UNIX accounts 
> comes from UNIX NSS).
> Consider (new, patched) "nsswitch/idmap.c:idmap_init()" again:


> >         if (strequal(dom_list[i], lp_workgroup())) {
> >             pri_dom_is_in_list = True;
> yes, it is True now, but was False before the patch applied (when 
> dom_list[i] was "default domain")

Oooh *good* catch, I watched at that initially but missed this detail
later on, I should probably change this to check if dom_list[i] is also
== default domain ... I'll post a new patch shortly.


> IOW, now by default (when both "idmap backend" and "idmap domains"
> are 
> empty), the "pri_dom_is_in_list" is always True, which prevents the 
> using of "winbind trusted domains only = yes" feature...

yeah, this is true, I'll fix this asap (probably monday at this point,
busy elswher etoday).

Thanks a lot.

Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <ssorce at>

More information about the samba-technical mailing list