[Samba4][Patch] Implement idmap for winbind (try 2)
Kai Blin
kai at samba.org
Tue Feb 19 22:16:59 GMT 2008
On Tuesday 19 February 2008 21:32:37 simo wrote:
> On Tue, 2008-02-19 at 17:38 +0100, Kai Blin wrote:
> > The way I understood simo, this was about using the same range for
> > both uids
> > and gids, but two pools of numbers. What would be the benefit of only
> > using
> > one pool?
>
> This is something that maybe debatable, but the point is that if you got
> the mapping wrong (ie you mapped a sid to a uid but it was really a
> group, you may correct it later by just changing the mapping type and
> keeping the id.
Ok, that makes sense.
> It also allows us to experiment with some ACL mapping (not done at the
> moment) as we may try to use the same uid and gid as user and group
> owner of a file in case someone set only one owner SID (only a group for
> example). This scheme let us have an id to set on the ACL without
> risking to give out more access then intended.
>
> This is at odds with importing an existing set of mappings so it should
> probably be a configuration option.
Uh, ok. Probably nothing that needs to be in the first iteration. I've got a
couple of things I'm really unclear about handling this.
A naive approach to this would be to just increment both the uid and the gid
high water mark if uids vs. gids should be unique. But how do I cope with a
user importing a data base where the high water marks are different and then
setting the "unique ids" option. Do I just fail? Do I get max(uidNumber,
gidNumber) and just stumble along?
> Also I see you introduced another configuration option in loadparm
> (idmap trusted only).
> Ccan you keep it in ldb instead like for the ranges?
Can do, but my personal opinion is that this makes more sense as a
configuration option. It's an easy change, though, so whatever floats your
boat.
Cheers,
Kai
--
Kai Blin
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba-technical/attachments/20080219/54ef8bbb/attachment.bin
More information about the samba-technical
mailing list