[Samba] [obnox at samba.org: 3.6:idmap:Q2: get rid of (all/most) idmap alloc parameters for idmap_ldap ?]
christopher.chan at bradbury.edu.hk
Tue Nov 30 16:02:06 MST 2010
Thank you for your hard work. Can you hazard a guess at what might be
causing winbind to not automatically create mappings in the ldap backend?
Also, can one make winbind direct that kerberos authentication be used?
In 3.0.33, kerberos was used but in 3.5.4 which I am currently running,
ntlmv2 is being chosen and that is problematic as workstations are NOT
being checked against winbind but against samba.
On Wednesday, December 01, 2010 12:40 AM, Michael Adam wrote:
> Hi Christopher,
> thank you for your comments.
> I know that idmap configuration has been a pain to get and keep
> right over the releases. This is a pity. One of the aims, I have
> been pursuing with my latest rewrite is to make ID mapping
> config slightly simpler, while staying mostly backward
> compatible. I am convinced that the removal of the alloc config
> will get us rid of a continuous source of grief and confusion.
> And I will of course do my best do document things as good as
> possible. Please bear with me and carefully check config vs.
> documentation once 3.6 is out. And please report bugs if there
> are inconsistencies. Also please insist if I don't react in a
> timely manner. If I loose track due to being busy with other
> topics, I am thankful for any reminder to fix my bugs... :-)
> Cheers - Michael
> Christopher Chan wrote:
>> Hi Michael,
>> I, for one, am using config alloc because that is how things were done
>> on 3.0.xx before I migrated data to a new box that uses 3.5.4. I do not
>> care very much about the configuration changes. But I beg you that
>> documentation regarding idmap_ldap is updated including how idmap_ldap
>> I had issues getting the configuration in 3.5.x to a state where I could
>> run wbinfo --set-* successfully and I still have an outstanding issue
>> where new accounts created in AD are not being automatically mapped by
>> winbind and I have to manually create these mappings.
>>> In my idmap rewrite, I kept the alloc related parameters for the
>>> LDAP idmap backend for now:
>>> - idmap alloc config : ldap_url
>>> - idmap alloc config : ldap_base_dn
>>> - idmap alloc config : ldap_user_dn
>>> and the related idmap alloc secret.
>>> I would like to get rid of these.
>> Be my guest. I don't care so long as these changes are documented so
>> that people will know what is going on. This will be the second time
>> that I will have had to fight with changes in idmap ldap related
>> configuration without notice.
>>> Therefore, I am asking here, if there is
>>> anyone out there using these?
>>> I can not imagine a reason why one would
>>> want to use different server and/or user+password
>>> for storing the uid/gid counter.
>> Right now there is nothing that actually explains to me what idmap_ldap
>> does and so I don't have a clue as to what are you talking about.
>>> The only option that I would attest a certain, though minimal,
>>> right to exist is the ldap_base_dn. But usually, it should
>>> imho ok to store the uid/gid counter in the same location
>>> as the mappings.
>>> So, again: Are these options needed/used at all?
>> There is an awful lot of 'documentation' out there detailing the use of
>> alloc. People go nuts just figuring out how to do winbind + ldap.
>>> Or can I remove them for 3.6.0 ?
>> Be my guest! Just update/provide documentation!
>>> Cheers - Michael
>>> Note: If we need to keep any of the options, the current form
>>> (idmap alloc config :<option> = ...) would reference
>>> the default config, but my idmap rewrite would enable us
>>> to set these on a per-domain basis, which would call
>>> for options like this "idmap config DOMAIN : alloc_<option>")
>>> ----- End forwarded message -----
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba