Proposal/Idea: Remove support for using rfc2307 attributes for s4 id-mapping?
Matthieu Patou
mat at matws.net
Mon Oct 15 12:20:05 MDT 2012
On 10/15/2012 08:48 AM, simo wrote:
> On Mon, 2012-10-15 at 17:10 +0200, steve wrote:
>> On 15/10/12 16:51, Michael Adam wrote:
>>
>>> - Addressing one frequent request:
>>> There is no good reason I know for requiring a user/group to
>>> have the same unix-ID on all DCs for a given domain.
>> It is of vital importance for those of us who have Linux clients in the
>> domain and serve them using NFS, that uidNumber and gidNumber remain the
>> same no matter which DC is queried. When a user or group is created, we
>> add the necessary rfc2307 classes and attributes to AD. We bypass
>> idmap.ldb altogether. idmap_use:rfc2307 = Yes allows us to do this.
>>
>> Please do not remove this excellent facility.
>> -1 to the proposal.
>> Cheers,
>> Steve
> Steve I up the ante, I wouls like to remove idmap.ldb entirely, and use
> rfc2307 attributes as the only idmap facility (for our own
> domain/forest).
What about workstations ? will you also give a posix uid to them ?
without it GPO and any file access from the workstation won't work in a
pure RFC2307 world.
What about the groups used owner ? you just have to see how Andrew is
struggling with to understand that RFC2307 is not a good answer for this.
Is there a lot of persons serving NFS from a DC ?
Note that we could easily improve our idmap.ldb code so that when
allocating a UID/GID we first check in the user/group for the existence
of posixUID/posixGID and write down this value in our idmap.ldb.
So it looks like rfc2307 but it's not and allow us not to have a special
module, because the idea is that we want to avoid having to much backend
for the future winbindd.
Matthieu
More information about the samba-technical
mailing list