Simo Sorce wrote: > > > > > We have many of these problems already, but they get worse when > > > > allocated RIDs are the norm, rather then the exception. Perhaps we > > > > should move SID->uid and uid->SID stuff into a seperate module? This > > > > was somthing we were looking at for the 'new SAM', but maybe we need it > > > > sooner. (It is not dependent on the rest of the work). > > > > > > I remember the word SURS.... ;-) I think this would not help. We will > > > never be perfect NT, we will always have rough edges. But at least if > > > the behaviour is known and documented, I would be happy. I need to > > > *explain* that stuff to people sitting in courses. For this simplicity > > > is really important. > > > > Yes, we need a simple solution, but I'm not sure there is one... > > Isn't idmap the right place to go?
I think so. And I think we can construct one that makes sense for admins. For example, we could contstruct an LDAP based one that uses the uidNumber on the user's LDAP record. We might end up doing this via the passdb interface (despite the fact I was really hoping to move unix stuff out of there) becouse I found the performance issues surrounding the current stuff to be problematic. :-( Whatever we do, uid->sid and sid->uid needs to be a single lookup. idra: you proposed (and even added) these to the passdb API a little while back. Do you think that's still a viable solution? If we implement the 'ldap trust uids' thing (stops Get_Pwnam() inside ldap) then this would certainly scale much better than existing code. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
