[Samba4][Patch] Implement idmap for winbind (try 2)

Kai Blin kai at samba.org
Tue Feb 19 22:16:59 GMT 2008

On Tuesday 19 February 2008 21:32:37 simo wrote:
> On Tue, 2008-02-19 at 17:38 +0100, Kai Blin wrote:
> > The way I understood simo, this was about using the same range for
> > both uids
> > and gids, but two pools of numbers. What would be the benefit of only
> > using
> > one pool?
> This is something that maybe debatable, but the point is that if you got
> the mapping wrong (ie you mapped a sid to a uid but it was really a
> group, you may correct it later by just changing the mapping type and
> keeping the id.

Ok, that makes sense.

> It also allows us to experiment with some ACL mapping (not done at the
> moment) as we may try to use the same uid and gid as user and group
> owner of a file in case someone set only one owner SID (only a group for
> example). This scheme let us have an id to set on the ACL without
> risking to give out more access then intended.
> This is at odds with importing an existing set of mappings so it should
> probably be a configuration option.

Uh, ok. Probably nothing that needs to be in the first iteration. I've got a 
couple of things I'm really unclear about handling this.

A naive approach to this would be to just increment both the uid and the gid 
high water mark if uids vs. gids should be unique. But how do I cope with a 
user importing a data base where the high water marks are different and then 
setting the "unique ids" option. Do I just fail? Do I get max(uidNumber, 
gidNumber) and just stumble along?

> Also I see you introduced another configuration option in loadparm
> (idmap trusted only).
> Ccan you keep it in ldb instead like for the ranges?

Can do, but my personal opinion is that this makes more sense as a 
configuration option. It's an easy change, though, so whatever floats your 


Kai Blin
WorldForge developer  http://www.worldforge.org/
Wine developer        http://wiki.winehq.org/KaiBlin
Samba team member     http://www.samba.org/samba/team/
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba-technical/attachments/20080219/54ef8bbb/attachment.bin

More information about the samba-technical mailing list