"algorithmic rid base" bogus?

[Volker Lendecke]

On Tue, Dec 27, 2005 at 10:49:44PM +0100, Volker Lendecke wrote:
> Thinking about migration issues right now, but I think the only real issue is
> generating the samlogon token, and this is either doable on the fly or even
> better it is scriptable. Enumerate all users, do the query_usergroups call for
> them and add explicit mapping entries.

I think I found a sane way for upgrades (not relevant for smbpasswd):

I will add a parameter 'auto map groups', defaulting to 'yes'. This hooks into
the gid2sid routine and adds groups mappings based on the RID algorithm
whenever non-mapped gid's pass by. This way all groups that right now are
mapped based on the algorithm function as they do now, they show up in the
samlogon token.

This conflicts however with new users, workstations and groups. There is just
no sane way to find a RID space that is free now and in the future to allocate
RIDs from. So 'auto map groups = yes' makes pdb_new_rid plainly refuse to
allocate new RIDs, preventing the admin to shoot himself in the foot.

The active part the admin has to take is to explicitly map all groups in use,
issue a 'net maxrid' operation that will set the next RID to allocate and set
'auto map groups = no'. We might also note the setting in the sambaDomain
object and tdbsam, this is a one-time setting like the upgrade to W2k native
mode.

No user affected, only admins will see a prominent debuglevel 0 message.

Sounds weird? Can we impose that on our users?

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051229/a7934a7f/attachment.bin