[Freeipa-users] Samba 4 with IPA
Alexander Bokovoy
abokovoy at redhat.com
Tue Apr 30 19:54:50 UTC 2013
On Tue, 30 Apr 2013, Simo Sorce wrote:
>On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote:
>>
>> We need to add some smart logic to ipasam module to handle it.
>>
>The logic for trusted users needs to go into winbindd or sssd, ipasam is
>only about our own domain.
In SSSD 1.10 there is new SID translation interface in libsss_nss_idmap
that we can use to build such logic.
I only pointed to ipasam because this is a place where we know
everything about all IPA trusts and idranges and which gets contacted
if winbindd is unable to resolve uid/gid to SID. A fallback case.
For SSSD-based solution we would need to differentiate between it being
installed on IPA master with ipa-adtrust-install configuration and other
machines to avoid loops as SSSD on IPA master asks winbindd currently
for SID translation and other SSSDs ask IPA's extdom plugin on Directory
server side.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list