What is left for 3.0.20a ?
Guenther Deschner
gd at samba.org
Fri Sep 23 19:55:28 GMT 2005
Hi Jerry,
On Fri, Sep 23, 2005 at 12:53:25PM -0500, Gerald (Jerry) Carter wrote:
> Guys,
>
> What outstanding bugs do you for 3.0.20a? I just want to
> create a concise list that we can use to judge when it
> is time to ship.
* security = ads
The wrong user and primary group sid in the NT Token resulting from
reply_spnego_kerberos (solved in trunk by using the PAC) is really
something drastic, IMHO.
As we need to solve the case where a user does not get a PAC from a KDC
(by intention) anyway, we could add these calls maybe now for 3.0.20a.
And there is another builtingroup scope mismatch I just found out:
When a user is a member of a Builtin group in ADS (not a Domain Local
Group!), that Builtin SID is returned by lookup_usergroups in the user's
SIDs array and then put into the user's token. When by coincidence an
Admin created a Builtin group with the same Builtin SID on the Samba
server to assign privileges to a group with assured local scope, then that
ADS user suddenly benefits from extra rights on the samba server :)
Winbind expands unwillingly the scope of builtin groups here.
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Novell / SUSE LINUX gd at suse.de
Samba Team gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050923/5d44e941/attachment.bin
More information about the samba-technical
mailing list