yet another idmap rewrite - still for 3.6 ?

idra at idra at
Wed Aug 4 12:43:49 MDT 2010

On Wed, Aug 04, 2010 at 11:09:27AM +0200, Stefan (metze) Metzmacher wrote:

> >> Some more radical changes I would like to see but which I need
> >> to think some more about are these:
> >>
> >> * I'd like to have winbindd be responisble for all sid<->uid
> >>   mappings, also for passdb. This would greatly simplify the
> >>   code. THis would also make the "always give passdb a chance
> >>   first" code path vanish - passdb would ask winbindd instead.
> Sounds very good.

I am not sure I agree that splitting this stuff out of passdb is a good idea.
This data is intimately connected in many ways, so it seems clear to me that
there should be only one piece of code in charge of dealing with IDs (meaning
both SIDs and Unix IDs, and that code should probably be whatever implements
LSA/SAMR in the long term.
We historically divided it in different databases for various reasons (mostly
because smbpasswd was a very limited format), but if you look at AD and LDAP,
this information is always kept with the rest of users and groups data (and
for good reasons).

This way you have to replace only one single daemon if you want to implement
a different backend for all this information.

> > The idea originally that passdb knows the unix UID best, and so should
> > be able to supply the ID mapping has caused just too much pain.  It is
> > better indeed to have the one single idmapping engine, and for backends
> > like LDAP, to have this configured to read the same actual entries, but
> > via a different route. 
> > 
> >> * Group mapping always puzzles me, and I think this should
> >>   be integrated with id mapping.
> > 
> > I certainly think that the ID component of group mapping should.  The
> > rest of group mapping is about marking the group type and possibly a
> > 'windows name' right?
> I think we should get rid of group mapping and have complete group support.
> IDMAP would be the only place where we map a SID to a unix uid/gid.

If you put everything in one database you map everything in one place and don't
need special mapping facilities anymore.


Simo Sorce       idra at
Samba Team

More information about the samba-technical mailing list