change idmap in the same way as passdb

Andrew Bartlett abartlet at samba.org
Thu Dec 18 14:56:17 MST 2014 

On Thu, 2014-12-18 at 22:18 +0100, Stefan (metze) Metzmacher wrote:
> Am 18.12.2014 um 22:07 schrieb Andrew Bartlett:
> > On Thu, 2014-12-18 at 20:27 +0100, Stefan (metze) Metzmacher wrote:
> >> Am 18.12.2014 um 10:38 schrieb Andrew Bartlett:
> >>> On Thu, 2014-12-18 at 21:23 +1300, Andrew Bartlett wrote:
> >>>> On Thu, 2014-12-18 at 09:13 +0100, Stefan (metze) Metzmacher wrote:
> >>>>> Am 18.12.2014 um 08:52 schrieb Andrew Bartlett:
> >>>>>> Metze,
> >>>>>>
> >>>>>> Now we have successfully changed the pdb library, I propose we do the
> >>>>>> same with idmap.  On a solaris-like system a while back, I found our
> >>>>>> internal and private idmap clashing with the system idmap (for NFSv4).
> >>>>>> The same grouping library trick should be enough to avoid this issue as
> >>>>>> well.  I'll try and prepare a patch tomorrow if I'm not totally swamped
> >>>>>> in the rush before Christmas.
> >>>>>
> >>>>> Ok, do we already have a bug report for this?
> >>>>>
> >>>>> metze
> >>>>
> >>>> This looks like it:
> >>>>
> >>>> https://bugzilla.samba.org/show_bug.cgi?id=10112
> >>>
> >>> Metze,
> >>>
> >>> You suggested on private IRC that we find a generic solution in the
> >>> PRIVATE_NAME wafsamba function.  I attach my attempt at that. 
> >>>
> >>> Sadly at least on my test here, it didn't help.  Let me know if you
> >>> figure it out, otherwise we may have to ad-hock idmap at least for now. 
> >>
> >> This patch seems to work.
> > 
> > It looks like it relies on a patch I don't have, as it only applies with
> > fuzz.
> 
> See the [PATCHES] fix soname of linux nss_*.so.2 modules thread...
> 
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest
> also has the patches.

If you can get me a branch with what exactly you want reviewed as early
as possible tomorrow your time, I'll try and find time this evening.  

Some small notes:
 - In the new trusted domain cli_credentials code, you don't need a new
lp_ctx, use the one on the dsdb private state pointer. 

 - The RODC already checks locally first, and falls back to a remote
NETLOGON call if we get NOT_IMPLEMENTED as the reply, so the TODO isn't
required

 - How can we test all this?  We really need to start a 2nd forest in
make test.

BTW, if you get all this going, subdomains are not far off either - most
of the problems are exactly the same. 

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list