[Samba] Executable 'username map'

Fran ç ois Laupretre francois.laupretre-prestataire at calyon.com
Fri Jul 22 11:50:53 GMT 2005 

> From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
> 
> I *really* don't like this.  It's fine for a local hack
> and probably a good solution in this case, but this will
> bit rot in the tree so fast due to its very specific and 
> non-intuitive nature.
>
> A better general solution that would apply to more
> networks would to allow the username map to be stored
> in a directory services such as NIS or LDAP.
> 
> If you want a pull based method, just have a cron job
> on each server that rebuilds the file every 10 minutes.
> No code changes necessary.

Yes, in my case, I can easily generate a new NIS map, if Samba becomes able
to read the mappings from it. And this solution would be perfect in my case.

But, I thought that allowing an external program to provide the mappings
with its own logic would be a better solution, as it solves a much greater
range of cases. Example :

- if the information lies outside of NIS or LDAP, I have to add a push
mechanism to update NIS or LDAP anytime I change my reference data. Or a
cron job, as you suggest :(

- if I cannot easily generate a map, for any reason. A rather simple case
(just as an example) : if I want to give a Unix mapping to a Windows
username only if his corresponding Unix home directory is viewable (through
the automounter) from the Samba host. I also could use an external mechanism
(maybe another NIS map) to restrict access to the Samba servers in my
domain. And there are still many cases where the logic of pushing a plain
list cannot be used (without cron jobs, again).

In short, I think that the solution of getting the map from NIS or LDAP is a
good one, but, if Samba could execute an external script to resolve the
mappings, it would be much more general, not so complicated for the users,
and easier to implement in the Samba code (and to document). It would also
necessitate only one new configuration parameter.

Regards

François
-------------- next part --------------
Ce message et ses pièces jointes (le "message") est destiné à l'usage    
exclusif de son destinataire.                                            
Si vous recevez ce message par erreur, merci d'en aviser immédiatement   
l'expéditeur  et de le détruire ensuite. Le présent message  pouvant  
être altéré à notre insu,  CALYON Corporate and Investment Bank                              
ne peut pas être engagé par son contenu. Tous droits réservés. 
          
This message and/or any  attachments (the "message") is intended for     
the sole use of its addressee.                                            
If you are not the addressee, please immediately notify the sender and    
then destroy the message.  As this message and/or any attachments may 
have been altered without our knowledge,  its content  is not legally 
binding on CALYON Corporate and Investment Bank. All rights reserved.

More information about the samba mailing list