Can we map IDs between Unix domains? (e.g, for NFSv4)
Today (onnv build 92), no.
But there’s no reason we couldn’t add support for it.
Here’s how I would do it:
- First, map all UIDs and GIDs in foreign Unix domains to S-1-22-3-<domain-RIDs>-<UID> and S-1-22-4-<domain-RIDs>-<UID>. Whence the domain RIDs? Preferably we’d provide a way for each domain to advertise a domain SID. Otherwise we could allow each domain’s SID to be configured locally. Or else derive it from the domain’s name, e.g., octet_string_to_RIDs(SHA_256(domain_name)).
- Second, map all user and group names in foreign Unix to <name>@<domain-name>
- Third, use libldap to talk to foreign Unix domains with RFC2307+ schemas. Possibly also add support for using NIS. (Yes, the NIS client allows binding to multiple domains, though, of course, the NIS name service backend uses only one; the yp_match(3NSL) and related functions take an optional NIS domain name argument.)
This would require changes to idmapd(1M). I think the code to talk to foreign Unix domains and cast their IDs into our local form should be easy to compartmentalize. idmapd would have to learn how to determine the type of any given domain, and how to find how to talk to it — this is going to be what most of the surgery on idmapd would be about.
I don’t know when we might get to this. Maybe an enterprising member of the community could look into implementing this if they are in a hurry.
I’ve filed:
6714521 mapping between non-AD Unix domains would be nice too
Nico said this on June 13, 2008 at 15:32 |