On Mon, Jul 07, 2003 at 12:13:35AM -0500, Gerald (Jerry) Carter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 7 Jul 2003 [EMAIL PROTECTED] wrote: > > > > > Date: Mon Jul 7 05:11:09 2003 > > Author: jerry > > > > Update of /data/cvs/samba/source/auth > > In directory dp.samba.org:/tmp/cvs-serv10743/auth > > > > Modified Files: > > Tag: SAMBA_3_0 > > auth_util.c auth_winbind.c > > Log Message: > > and so it begins.... > > > > * remove idmap_XX_to_XX calls from smbd. Move back to the > > the winbind_XXX and local_XXX calls used in 2.2
Sorry to jump back right to the start of this thread - but while I have objections to much of the rest of this, on review, this really is the nasty part... This isn't the calls we had in Samba 2.2 - this is a revertion to the ugly hack the plagued Samba 3.0 up until idmap. (I can say it is any ugly hack becouse I added it, to start vl on his vampire work, and I was very glad to get rid of it in favor of idmap). Samba 2.2 has a very simple function to so this - uid*2+1000. Instead, for every sid->uid call, we are making nss and passdb calls all over the place, and if they fail (NIS outage etc) we fail the lookup. This not only means that SIDs (which can be almost arbitary on NT) are not valid/invalid depending on the state of the network. At least my previous code fall back to the algorithm. Why can't we ask winbind to translate these SIDs - lookup the mapping that might already exist (some other host might have given this SID a mapping in idmap, and we want this to be consistant for NFS) and have it fall back to the algorithm if that has no mapping? Or even allow this name-based mapping by option, giving sites that have an LDAP based idmap (using the user entries as it now does) the option of a fast, tdb-cached lookup? Andrew Bartlett