I'm sorry, I guess I'm not very useful for idmapd. I can offer slightly
more info than I did before (plus considerable empathy) but I don't
really have the answers you seek.

You wrote:
>there is no explanation of Mapping section of the idmapd.conf file,

only default entries.

As far as I can tell, it is a misconception to think that you get to
define user mappings manually by using the [Mapping] section, or that
there can be entries other than the 'defaults'. I'm only going by the
man page for idmapd.conf, which says that the variables allowed in the
Mapping section are Nobody-User and Nobody-Group. That seems to imply
that no other variables would be valid for that section. So, as far as
I can tell, individual user mappings would rely on correctly setting up
your domain so that idmap can figure that stuff out. But I'm not
entirely sure what "correctly setting up your domain" would look like.

I did some testing in a manner that seems similar to what you
described... and I was having problems like yours. So I began to
re-examine my lack-of-understanding of idmapd.

Previously, I was under the impression that idmapd would allow you to
have a server and a client with different UIDs/GIDs for the same
usernames, and it would automatically figure out how to map those for
you by passing names over the wire instead of UIDs. But according to
what I'm starting to find in different places online (which I'm not
fully understanding yet) some people appear to be saying that with
idmapd, within any domain, you have to have a common authentication
mechanism so that all names / uids / gids are in agreement. My reaction
is, "Okay, but then... if you have that... why would you need idmapd?"
It may be that instead of idmapd being intended to map joe on host1 to
joe on host2 (all within one domain), that it is instead supposed to
help map between joe@domain1 to joe@domain2 (but all occurrances of
joe@domain1 have to be in agreement already, as do all occurances of
joe@domain2). I started trying to test that distinction by setting up
another domain, but I had no more success or clues or clarity come
about.

Obviously idmapd uses some paradigm more complicated than I have
grasped yet. Sounds like we're both in the same boat. Anyway, for the
moment all I can say is that if you get your various systems resolving
names/IDs against a common database, then you should avoid problems.
But it you specifically were hoping for something that could map users
for you and allow you to avoid using a common database, you might be out
of luck. Not sure.


--
dpartrid
------------------------------------------------------------------------
dpartrid's Profile: http://forums.novell.com/member.php?userid=18260
View this thread: http://forums.novell.com/showthread.php?t=444242