Re: [SSSD] [PATCH] Allow using AD objectSid as uid source

On Fri, 2011-09-30 at 10:21 +0300, Marko Myllynen wrote: Sorry for the long response time on this. We've discussed this upstream and we can't accept this patch. There are a number of issues that we need to consider with this. Winbind's approach to ID mapping makes an unhealthy assumption that it is the ONLY source of user data on the client system. This does not align with SSSD's design to handle multiple domain sources at the same time. Furthermore, the domain mapping algorithm here can cause conflicts with local users in the 1000+ range. At minimum, we'd need to come up with a deterministic design that would allow multiple AD and non-AD domains to work at the same time, and start at some reasonable minimum ID (such as 10,000). The problem with doing that is that it would only work for clients using SSSD (because it would not map to the same IDs as clients using winbind directly). So before any action was taken on this, we'd need to coordinate with the Samba project to change their mapping algorithm as well. This is a difficult process and will likely not happen in the near-term.