Does anybody use idmap_adex?
in [Samba]
|
From: Gerald Carter on 28 Jun 2010 11:00 On 06/28/2010 09:42 AM, Volker Lendecke wrote: > Hi! > > $SUBJECT says it all. Why am I asking? A few times in the > recent past I've stumbled across this module when trying to > make changes in the winbind infrastructure that would > involve changes to idmap_adex. > > The problem here is that I have no chance to test those > changes, because I do not have the test setup including a > Likewise Cell infrastructure around. > > Is anybody around using this module and willing to run tests > against Likewise Cell infrastructure after changes have been > done? Volker, There's some confusion here. The idmap_adex() doesn't have anything to do with Likewise Cells. It's just an rfc2307 idmap module with support for domain trusts. The comments in the code are misleading only because it was derived from my original code at Likewise. That said, if no one is using it, my suggestion is to remove it on the basis that it is currently unmaintained. cheers, jerry -- Director of Engineering http://www.likewise.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on 28 Jun 2010 11:10 On Mon, Jun 28, 2010 at 09:55:12AM -0500, Gerald Carter wrote: > There's some confusion here. The idmap_adex() doesn't have > anything to do with Likewise Cells. It's just an rfc2307 > idmap module with support for domain trusts. The comments > in the code are misleading only because it was derived from > my original code at Likewise. Part of what I want to test is possible changes to for example the routine _nss_adex_get_info(). This has code like { NTSTATUS nt_status; struct likewise_cell *cell; nt_status = _idmap_adex_init(NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) return nt_status; if ((cell = cell_list_head()) == NULL) { return NT_STATUS_INVALID_SERVER_STATE; } return cell->provider->get_nss_info(sid, ctx, homedir, shell, gecos, p_gid); } which to me very much looks like having to do with Likewise Cells. But I might be completely wrong, and that is part of the problem: I do not fully understand the code in for example provider_unified.c, and I am not intellectually capable enough to fully understand it without running the code at all. I might be wrong here, but to me it looks like that _idmap_adex_init calls cell_locate_membership. I am a bit worried that I break something in that realm when making changes to the cell->provider->get_nss_info call which seems to call search_cell_list() for example. I would like to be able to run that code and see how it behaves, not the least to be able to understand what it actually does before making changes. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: simo on 28 Jun 2010 11:20 On Mon, 2010-06-28 at 09:55 -0500, Gerald Carter wrote: > On 06/28/2010 09:42 AM, Volker Lendecke wrote: > > Hi! > > > > $SUBJECT says it all. Why am I asking? A few times in the > > recent past I've stumbled across this module when trying to > > make changes in the winbind infrastructure that would > > involve changes to idmap_adex. > > > > The problem here is that I have no chance to test those > > changes, because I do not have the test setup including a > > Likewise Cell infrastructure around. > > > > Is anybody around using this module and willing to run tests > > against Likewise Cell infrastructure after changes have been > > done? > > Volker, > > There's some confusion here. The idmap_adex() doesn't have > anything to do with Likewise Cells. It's just an rfc2307 > idmap module with support for domain trusts. The comments > in the code are misleading only because it was derived from > my original code at Likewise. > > That said, if no one is using it, my suggestion is to remove > it on the basis that it is currently unmaintained. Jerry, are there other modules that would allow us to do one way trust while keeping info on AD ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer <simo(a)samba.org> Principal Software Engineer at Red Hat, Inc. <simo(a)redhat.com> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gerald Carter on 28 Jun 2010 11:20 Hey Volker, On 06/28/2010 10:07 AM, Volker Lendecke wrote: > Part of what I want to test is possible changes to for > example the routine _nss_adex_get_info(). This has code like > > { > NTSTATUS nt_status; > struct likewise_cell *cell; > > nt_status = _idmap_adex_init(NULL, NULL); > if (!NT_STATUS_IS_OK(nt_status)) > return nt_status; > > if ((cell = cell_list_head()) == NULL) { > return NT_STATUS_INVALID_SERVER_STATE; > } > > return cell->provider->get_nss_info(sid, ctx, homedir, > shell, gecos, p_gid); > } > > > which to me very much looks like having to do with Likewise > Cells. But I might be completely wrong, and that is part of > the problem: I do not fully understand the code in for > example provider_unified.c, and I am not intellectually > capable enough to fully understand it without running the > code at all. Yeah. It's a bit of a tough spot. The "struct likewise_cell" is a scoping object. But in this case, the scope is actually the forest and not a particular OU. There is a cell structure per domain which also acts as the connection caching mechanism IIRC. So there should be a list of likewise_cell structures, one per domain. I'd had to look at the code again to remember how the GC connection handling is done. There's some neat features in it and at the time, I really felt it was a more flexible and robust module than idmap_ad due to the support for trusts and things like aliases names for users and group. But....(remaining thoughts below) > I might be wrong here, but to me it looks like that > _idmap_adex_init calls cell_locate_membership. I am a bit > worried that I break something in that realm when making > changes to the cell->provider->get_nss_info call which seems > to call search_cell_list() for example. I would like to be > able to run that code and see how it behaves, not the least > to be able to understand what it actually does before making > changes. I think that unless a large number of ppl strongly object, I would remove it. As we both know, I don't have time to support or test it any more either. And as you point out, without at least some of the historical background, the code is a bit confusing. cheers, jerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: simo on 28 Jun 2010 11:30
On Mon, 2010-06-28 at 10:24 -0500, Gerald Carter wrote: > On 06/28/2010 10:13 AM, simo wrote: > > >> There's some confusion here. The idmap_adex() doesn't have > >> anything to do with Likewise Cells. It's just an rfc2307 > >> idmap module with support for domain trusts. The comments > >> in the code are misleading only because it was derived from > >> my original code at Likewise. > >> > >> That said, if no one is using it, my suggestion is to remove > >> it on the basis that it is currently unmaintained. > > > > Jerry, are there other modules that would allow us to do one way trust > > while keeping info on AD ? > > Hey Simo, > > The idmap_adex trust support was for cross-forest transitive > trusts. > > You can't do one-way trusts like this anyways (neither does > idmap_adex). The one-way trust support is (was) in winbindd > core code and made use of the rpc SID/Name translation. > You just can't obtain any attribute information from the > wrong side on a one-way trust. Ok, for some reason I thought information was maintained on your side of the trust using the cells. If that's not the case and adex does not provide any additional feature then I will let you and Volker decide what to do with this module. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <simo(a)samba.org> Principal Software Engineer at Red Hat, Inc. <simo(a)redhat.com> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |