On Fri, 2011-09-30 at 10:21 +0300, Marko Myllynen wrote:
Hi,
this simple patch allows using AD objectSid as uid source making it
possible to use SSSD against AD instances which do not have Identity
Management for Unix Role Service enabled. The mapping matches winbind's
idmap_rid(8) behaviour. If ldap_user_uid_number is not objectSid then
nothing changes.
https://fedorahosted.org/sssd/ticket/996
Sorry for the long response time on this.
We've discussed this upstream and we can't accept this patch. There are
a number of issues that we need to consider with this. Winbind's
approach to ID mapping makes an unhealthy assumption that it is the ONLY
source of user data on the client system. This does not align with
SSSD's design to handle multiple domain sources at the same time.
Furthermore, the domain mapping algorithm here can cause conflicts with
local users in the 1000+ range.
At minimum, we'd need to come up with a deterministic design that would
allow multiple AD and non-AD domains to work at the same time, and start
at some reasonable minimum ID (such as 10,000).
The problem with doing that is that it would only work for clients using
SSSD (because it would not map to the same IDs as clients using winbind
directly). So before any action was taken on this, we'd need to
coordinate with the Samba project to change their mapping algorithm as
well.
This is a difficult process and will likely not happen in the
near-term.