At 15:59 30.09.2002 +0200, [EMAIL PROTECTED] wrote: >*** PGP Signature Status: bad >*** Signer: Volker Lendecke <[EMAIL PROTECTED]> (Invalid) >*** Signed: 30.09.2002 15:59:49 >*** Verified: 30.09.2002 16:10:33 >*** BEGIN PGP VERIFIED MESSAGE *** > > >Hi! > > >Recently I have done some work on the passdb interface in order to get >it work with 'net rpc vampire'. The main problem with both of them >playing together is the question of RIDs. When doing the 'net rpc >vampire', the PDC dictates our RIDs, and the old 2.2 style algorithmic >uid->RID translation is around everywhere, esp. in mapping.c and >passdb.c. So I tried to move all the calls to the functions to the >smbpasswd and unix backends, where they really have a case. > > >Some points to look at: > > >* There are no unmapped groups anymore. get_group_from_gid creates > mappings on the fly when needed. > > >* pdb_fill_sam_pw does *not* fill group and user SID anymore. > > >* NULL user sid for pdb_add_sam_account means 'allocate a RID'. > > >* local_uid_to_sid has to hand out a SID for each unix user. If the > unix user is not in pdb, we now hand out 'S-1-5-33-unixuid'. This > works fine on NT and W2k. > > >Current question(s): > > >* The RID allocator is in the wrong place. It's currently storing its > stuff in secrets.tdb. smbpasswd should use the old algorithmic > mapping, net rpc vampire will not work with smbpasswd. To let this > not interfere with group RID allocation, the passdb backend must be > asked 'give me a RID for this unix gid'.
right. >* The other alternative is to move the (not too big) groupdb API > entirely to the passdb backend. This would make it possible to get > LDAP replication for group mapping quite easily. We could encapsulate > LDAP (with connection caching.... ;-) in one file. sounds good to me >* Design of LDAP replication: What about a sambaGroup objectclass as > supplementary to posixGroup that contains gid, sid, ntname, > grouptype, comment etc? All the stuff that mapping.c stores in the > tdb. sid,ntname,grouptype have to be add. gid is posixGroup I think and comment should be description. But it would be nice if we could make the design of this also ready for sam_ldap. And maybe update sambaAccount too.( change acsii string to directory strings (utf-8) ... change the rid to sid...). and modify thet backend to be able to switch between the new and old schema. Add sambaDomain ... some lines from IRC: [07:42:28] <metze> hi abartlet [07:42:44] <metze> what do you say to vl's patch [07:43:25] <metze> I think we should have a rid_allocator in each backend! [07:43:35] <@abartlet> vl: I need to pull it apart a bit [07:43:37] <@abartlet> I agree [07:44:56] <metze> and we should have a plugable group mapping [07:45:02] <metze> tdb or ldap [07:46:45] <metze> and someone should use (pdb_ldap AND group_map_ldap AND rid_alloc_ldap)or (pdb_tdb AND group_map_tdb AND rid_alloc_tdb) [07:56:36] <metze> but the rest look good [07:56:46] <metze> but I haven't test it metze ----------------------------------------------------------------------------- Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
