change idmap in the same way as passdb

Stefan (metze) Metzmacher metze at
Thu Dec 18 16:43:46 MST 2014

Am 18.12.2014 um 22:56 schrieb Andrew Bartlett:
> On Thu, 2014-12-18 at 22:18 +0100, Stefan (metze) Metzmacher wrote:
>> Am 18.12.2014 um 22:07 schrieb Andrew Bartlett:
>>> On Thu, 2014-12-18 at 20:27 +0100, Stefan (metze) Metzmacher wrote:
>>>> Am 18.12.2014 um 10:38 schrieb Andrew Bartlett:
>>>>> On Thu, 2014-12-18 at 21:23 +1300, Andrew Bartlett wrote:
>>>>>> On Thu, 2014-12-18 at 09:13 +0100, Stefan (metze) Metzmacher wrote:
>>>>>>> Am 18.12.2014 um 08:52 schrieb Andrew Bartlett:
>>>>>>>> Metze,
>>>>>>>> Now we have successfully changed the pdb library, I propose we do the
>>>>>>>> same with idmap.  On a solaris-like system a while back, I found our
>>>>>>>> internal and private idmap clashing with the system idmap (for NFSv4).
>>>>>>>> The same grouping library trick should be enough to avoid this issue as
>>>>>>>> well.  I'll try and prepare a patch tomorrow if I'm not totally swamped
>>>>>>>> in the rush before Christmas.
>>>>>>> Ok, do we already have a bug report for this?
>>>>>>> metze
>>>>>> This looks like it:
>>>>> Metze,
>>>>> You suggested on private IRC that we find a generic solution in the
>>>>> PRIVATE_NAME wafsamba function.  I attach my attempt at that. 
>>>>> Sadly at least on my test here, it didn't help.  Let me know if you
>>>>> figure it out, otherwise we may have to ad-hock idmap at least for now. 
>>>> This patch seems to work.
>>> It looks like it relies on a patch I don't have, as it only applies with
>>> fuzz.
>> See the [PATCHES] fix soname of linux nss_*.so.2 modules thread...
>> also has the patches.
> If you can get me a branch with what exactly you want reviewed as early
> as possible tomorrow your time, I'll try and find time this evening.;a=shortlog;h=refs/heads/master4-forest-ok
has everything...

> Some small notes:
>  - In the new trusted domain cli_credentials code, you don't need a new
> lp_ctx, use the one on the dsdb private state pointer. 


>  - The RODC already checks locally first, and falls back to a remote
> NETLOGON call if we get NOT_IMPLEMENTED as the reply, so the TODO isn't
> required

Ah, ok the winbindd_dual_auth_passdb() calls...

>  - How can we test all this?  We really need to start a 2nd forest in
> make test.

I'm working on this next, first I need something like 'samba-tool domain
trust add'

> BTW, if you get all this going, subdomains are not far off either - most
> of the problems are exactly the same. 

Yes, similar.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list