On Thu, May 14, 2009 at 11:14:30AM +0100, Julian Pullen wrote: > I did look at the code changes and my view is that this support for AD > groups really belongs to nss_ad. Since nss_ad currently does not > support login we need to take a pragmatic approach.
Right. Sponsoring this RFE is being pragmatic :) We should enhance nss_ad so that logins by users with non-ephemeral IDs are possible. Today that can't really be done because the non-ephemeral IDs will be those of users/groups defined in other name services. However, when ID mapping via IDMU/SFU attributes is added to idmapd it will then be possible to have non-ephemeral IDs for some AD users and groups without having to have corresponding entities in Unix name services. Nico --
