'it seemed like a good idea at the time...' I've come to the conclusion that 'unixsam' has reached the end of it's useful life. And a short life it has been to.
Originally added as a way of moving the last of the 'fixed' uid->rid translations into the passdb backends, and as a way of doing some 'name->sid' translations uniformly, the unixsam backend has also created it's fare share of troubles.... In particular, it creates a real mess with the way the SAMR 'create user' call works: the user doesn't really exist - we have no samba attributes for that user - but the user does exist, and so the Windows client does a 'modify password' not an 'add user'. This means that the real account control bits are never set - causing a bit of a mess between some of the different types of trust accounts. It also makes some of the 'net rpc vampire' stuff messier than it should be. As such, we need to get the idmap stuff separated: - all SIDs should be algorithmicly mapped from their uid/gid, except: - SIDs specifically entered in the IDMAP database - SIDs outside our local domain (ie our passdb). - We should try and make this as transparent as possible: - we should have a LDAP backend that maps the local domain to UIDs via an ldap lookup on the 'rid' and 'uidnumber' attributes. - this should mean that existing NT->Samba migrations should 'just work' - We should have some way to move from the current TDB to an LDAP backend. - All accounts would become 'non unix accounts', with idmap sorting things out later. (we could add a sid->uid->getpwuid() check in critical places if required). - Adding an existing 'unix' account with smbpasswd, rpc etc would set both the idmap and the pdb entry. With LDAP they would actually be the same record. Hmm, after thinking about all this we might even be able to kill off unixsam without all that - possibly just serving rids 500 and 501. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
