Deprecated but still supported "idmap
backend" actually is broken
simo
idra at samba.org
Fri Oct 12 15:12:38 GMT 2007
On Fri, 2007-10-12 at 19:04 +0400, Dmitry Butskoy wrote:
> simo wrote:
> > I am still building packages to test but if you want to give it a try
> > you'll find attached my first take
> >
>
> The patch should be fixed a little.
>
> When we change the idmap dom name from the "default domain" to the name
> of the actual primary domain (lp_workgroup()), it leads the "trusted
> domains only" feature no more work. (IOW the case of idmap_nss "hidden"
> backend).
>
> Consider a case, when we:
> - do not specify any idmap backends or idmap domains at all;
> - and specify "winbind trusted domains only = yes" (for UNIX accounts
> comes from UNIX NSS).
>
> Consider (new, patched) "nsswitch/idmap.c:idmap_init()" again:
>
[..]
> > if (strequal(dom_list[i], lp_workgroup())) {
> > pri_dom_is_in_list = True;
> yes, it is True now, but was False before the patch applied (when
> dom_list[i] was "default domain")
Oooh *good* catch, I watched at that initially but missed this detail
later on, I should probably change this to check if dom_list[i] is also
== default domain ... I'll post a new patch shortly.
[..]
> IOW, now by default (when both "idmap backend" and "idmap domains"
> are
> empty), the "pri_dom_is_in_list" is always True, which prevents the
> using of "winbind trusted domains only = yes" feature...
yeah, this is true, I'll fix this asap (probably monday at this point,
busy elswher etoday).
Thanks a lot.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>
More information about the samba-technical
mailing list