Volker Lendecke Volker.Lendecke at SerNet.DE
Sat Aug 9 09:06:42 GMT 2008

On Fri, Aug 08, 2008 at 08:25:15PM -0400, simo wrote:
> On Sat, 2008-08-09 at 00:56 +0200, Volker Lendecke wrote:
> > On Fri, Aug 08, 2008 at 03:06:22PM -0400, simo wrote:
> > > I think the problem here is that tdb will still be the default.
> > > Ie it will happily allocate for foreign domains unless there is an
> > > explicit configuration for them.
> > 
> > Yes, and that is deliberate.
> > 
> > We could implement something like "winbind ignore domains"
> > the opposite of that, but with that winbind would not accept
> > anything at all for the filtered domains, not only idmap
> > requests would be dropped. From my point of view it does
> > not make sense to allow one kind of request (i.e. for
> > example PAM auth) but not others (i.e. sid2uid).
> It does, for example right now ntlm_auth could care less about idmapping
> and it should stay that way.

In the installations I have seen so far the use of ntlm_auth
not tied to unix accounts at all, it was on specialized
machines like squid or apache webservers. These are isolated
boxes even without nss_winbind around, so the do not have
any need for id mapping.

What is your scenario for a box that needs both an
unrestricted ntlm_auth and restricted id mapping?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list