[Samba] AD users from different AD domains - update
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed May 10 18:44:43 GMT 2006
On Wed, May 10, 2006 at 02:28:25PM -0400, Trimble, Ronald D wrote:
> I know you and I have been over this in the past, but I have a
> few questions based on this thread. If winbind does correctly list the
> groups, why does it not correctly tell you that the user is indeed a
> member of that group?
Those two are different operations, and AD is able to put
different ACLs on these operations. It's like listing a
directory and reading a file in that directory. The fact
that you can list /etc does not automatically mean that you
can also see the contents of /etc/shadow.
> Are you saying that if you were an admin in all domains it
> would work?
It is extremely messy to find all group memberships of a
user, given global groups with nesting, domain local groups,
universal groups, local groups and builtin groups. It would
be a nightmare to code this up reliably in a trusted
environment. Given that winbind has admin privileges in all
domains then it would in theory be possible, but coding that
up and testing it in a relevant set of scenarios would at
least require a month of work (my rough guess, others might
be faster at this).
> What if the server was not merely a member
> server? Would it work then?
It would have to be a domain controller in all domains,
which is as strong as being admin in all domains. Even more
complicated to code up, this even goes beyond what Samba4
tries to achieve.
> I am not trying to be a pain, I am just looking for solutions to
> a problem that lots of other Windows admins like myself see as a huge
> issue.
Remove Windows from your network. That is the only real
solution. I apologize for begin a bit harsh, but I've spent
quite a bit of time trying to explain that what you are
asking for is not possible in the world Windows presents to
us. Asking over and over again does not make the situation
any better.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20060510/94b86ebc/attachment.bin
More information about the samba
mailing list