From: Gerald Carter on
On 06/28/2010 09:42 AM, Volker Lendecke wrote:
> Hi!
>
> $SUBJECT says it all. Why am I asking? A few times in the
> recent past I've stumbled across this module when trying to
> make changes in the winbind infrastructure that would
> involve changes to idmap_adex.
>
> The problem here is that I have no chance to test those
> changes, because I do not have the test setup including a
> Likewise Cell infrastructure around.
>
> Is anybody around using this module and willing to run tests
> against Likewise Cell infrastructure after changes have been
> done?

Volker,

There's some confusion here. The idmap_adex() doesn't have
anything to do with Likewise Cells. It's just an rfc2307
idmap module with support for domain trusts. The comments
in the code are misleading only because it was derived from
my original code at Likewise.

That said, if no one is using it, my suggestion is to remove
it on the basis that it is currently unmaintained.




cheers, jerry
--
Director of Engineering http://www.likewise.com/
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on
On Mon, Jun 28, 2010 at 09:55:12AM -0500, Gerald Carter wrote:
> There's some confusion here. The idmap_adex() doesn't have
> anything to do with Likewise Cells. It's just an rfc2307
> idmap module with support for domain trusts. The comments
> in the code are misleading only because it was derived from
> my original code at Likewise.

Part of what I want to test is possible changes to for
example the routine _nss_adex_get_info(). This has code like

{
NTSTATUS nt_status;
struct likewise_cell *cell;

nt_status = _idmap_adex_init(NULL, NULL);
if (!NT_STATUS_IS_OK(nt_status))
return nt_status;

if ((cell = cell_list_head()) == NULL) {
return NT_STATUS_INVALID_SERVER_STATE;
}

return cell->provider->get_nss_info(sid, ctx, homedir,
shell, gecos, p_gid);
}


which to me very much looks like having to do with Likewise
Cells. But I might be completely wrong, and that is part of
the problem: I do not fully understand the code in for
example provider_unified.c, and I am not intellectually
capable enough to fully understand it without running the
code at all.

I might be wrong here, but to me it looks like that
_idmap_adex_init calls cell_locate_membership. I am a bit
worried that I break something in that realm when making
changes to the cell->provider->get_nss_info call which seems
to call search_cell_list() for example. I would like to be
able to run that code and see how it behaves, not the least
to be able to understand what it actually does before making
changes.

Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: simo on
On Mon, 2010-06-28 at 09:55 -0500, Gerald Carter wrote:
> On 06/28/2010 09:42 AM, Volker Lendecke wrote:
> > Hi!
> >
> > $SUBJECT says it all. Why am I asking? A few times in the
> > recent past I've stumbled across this module when trying to
> > make changes in the winbind infrastructure that would
> > involve changes to idmap_adex.
> >
> > The problem here is that I have no chance to test those
> > changes, because I do not have the test setup including a
> > Likewise Cell infrastructure around.
> >
> > Is anybody around using this module and willing to run tests
> > against Likewise Cell infrastructure after changes have been
> > done?
>
> Volker,
>
> There's some confusion here. The idmap_adex() doesn't have
> anything to do with Likewise Cells. It's just an rfc2307
> idmap module with support for domain trusts. The comments
> in the code are misleading only because it was derived from
> my original code at Likewise.
>
> That said, if no one is using it, my suggestion is to remove
> it on the basis that it is currently unmaintained.

Jerry, are there other modules that would allow us to do one way trust
while keeping info on AD ?

Simo.

--
Simo Sorce
Samba Team GPL Compliance Officer <simo(a)samba.org>
Principal Software Engineer at Red Hat, Inc. <simo(a)redhat.com>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Gerald Carter on
Hey Volker,

On 06/28/2010 10:07 AM, Volker Lendecke wrote:

> Part of what I want to test is possible changes to for
> example the routine _nss_adex_get_info(). This has code like
>
> {
> NTSTATUS nt_status;
> struct likewise_cell *cell;
>
> nt_status = _idmap_adex_init(NULL, NULL);
> if (!NT_STATUS_IS_OK(nt_status))
> return nt_status;
>
> if ((cell = cell_list_head()) == NULL) {
> return NT_STATUS_INVALID_SERVER_STATE;
> }
>
> return cell->provider->get_nss_info(sid, ctx, homedir,
> shell, gecos, p_gid);
> }
>
>
> which to me very much looks like having to do with Likewise
> Cells. But I might be completely wrong, and that is part of
> the problem: I do not fully understand the code in for
> example provider_unified.c, and I am not intellectually
> capable enough to fully understand it without running the
> code at all.

Yeah. It's a bit of a tough spot. The "struct likewise_cell"
is a scoping object. But in this case, the scope is actually
the forest and not a particular OU. There is a cell structure
per domain which also acts as the connection caching mechanism
IIRC. So there should be a list of likewise_cell structures,
one per domain. I'd had to look at the code again to remember
how the GC connection handling is done.

There's some neat features in it and at the time, I really felt
it was a more flexible and robust module than idmap_ad due to
the support for trusts and things like aliases names for users
and group.

But....(remaining thoughts below)

> I might be wrong here, but to me it looks like that
> _idmap_adex_init calls cell_locate_membership. I am a bit
> worried that I break something in that realm when making
> changes to the cell->provider->get_nss_info call which seems
> to call search_cell_list() for example. I would like to be
> able to run that code and see how it behaves, not the least
> to be able to understand what it actually does before making
> changes.

I think that unless a large number of ppl strongly object, I would
remove it. As we both know, I don't have time to support or
test it any more either. And as you point out, without at least
some of the historical background, the code is a bit confusing.






cheers, jerry
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: simo on
On Mon, 2010-06-28 at 10:24 -0500, Gerald Carter wrote:
> On 06/28/2010 10:13 AM, simo wrote:
>
> >> There's some confusion here. The idmap_adex() doesn't have
> >> anything to do with Likewise Cells. It's just an rfc2307
> >> idmap module with support for domain trusts. The comments
> >> in the code are misleading only because it was derived from
> >> my original code at Likewise.
> >>
> >> That said, if no one is using it, my suggestion is to remove
> >> it on the basis that it is currently unmaintained.
> >
> > Jerry, are there other modules that would allow us to do one way trust
> > while keeping info on AD ?
>
> Hey Simo,
>
> The idmap_adex trust support was for cross-forest transitive
> trusts.
>
> You can't do one-way trusts like this anyways (neither does
> idmap_adex). The one-way trust support is (was) in winbindd
> core code and made use of the rpc SID/Name translation.
> You just can't obtain any attribute information from the
> wrong side on a one-way trust.

Ok, for some reason I thought information was maintained on your side of
the trust using the cells.

If that's not the case and adex does not provide any additional feature
then I will let you and Volker decide what to do with this module.

Simo.

--
Simo Sorce
Samba Team GPL Compliance Officer <simo(a)samba.org>
Principal Software Engineer at Red Hat, Inc. <simo(a)redhat.com>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba