At 15:57 13.10.2002 +0200, Simo Sorce wrote: > > > But to use ldap as a central storage you have to solve how to handle > > > foreign or builtin/special SIDs!
yes the builtin SID's should only be shared between DC's. maybe we shouldn't do lookup's on the central idmap that contain builtin SID's and write unmapped in our local idmap( if domain logons = no). 1.so if we lookup BUILTIN SID S-1-5-32-545 and didn't find it in the local idmap: we should write it to our local idmap and mark it as unmapped. it will later possible for the admin to manual map it via a tool like smbgroupedit. 2. if we lookup a uid 5676 and didn't find it in our local idmap, we look it up in trhe central idmap. if it is mapped to a builtin sid, we should write it to our local idmap with unmapped. it will later possible for the admin to manual map it via a tool like smbgroupedit. 3. if we have domain logons = yes, we should skip the 1. and 2. > > > > Well, I was only looking at mapping our own domain - I was thinking the > > rest should happend via winbind. However, it does make more sense that > > this is all handled in one place. I think we can deal with this. > > >if you want it to be fast, better it stay in one place. > > >Simo. metze ----------------------------------------------------------------------------- Stefan "metze" Metzmacher <[EMAIL PROTECTED]>