On 01/26/2013 12:49 PM, Rob McCorkell wrote:
Thanks for the explanation - I wasn't thinking too much about multiple
domains, and I guess it would be an issue. A potential solution would
be to have offsets for each domain, specified in smb.conf? If I didn't
have too much on my plate already I would have a look at the mapping
code and attempt to write a solution myself.
Well I don't like the idea of having to set something in the smb.conf
because it doesn't match with the idea of configure once and then forget it.
More importantly it will be very hard to make it work in our automated
testsuite and not covering this part with tests is a recipe for a disaster.
The 'solution' with the UID discrepancy between nslcd and Samba was to
feed back the nslcd UID back into Samba, then tell Samba to use those
UIDs instead. Oh, and while I am here I might as well bring a
particular bug to your attention - when Samba is set to use rfc2307,
but no uidNumber attribute exists for an object, the UID number gets
allocated. But once a uidNumber attribute is set, and the allocation
has already taken place, the allocated UID is used instead. I can't
imagine that this is the desired behaviour with rfc2307.
No that's not a bug but a secure approach (ihmo), because if samba needs
to allocate that's either for checking access for a read or because the
user is writing a file, if the user is writing a file it's very very
wrong to change its UID/GID because it means that the UID/GID in the
ACLs won't be correct and user might not be able to access/modify/delete
its file.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba