domain group and local group API needed

Jeremy Allison jallison at cthulhu.engr.sgi.com
Fri Oct 30 00:23:04 GMT 1998 

Luke Kenneth Casson Leighton wrote:
> 
> 
> that would confuse the issue.  a user's groups is a list of RIDs.  those
> RIDs can be either local groups or domain groups.  a name of "domain group
> file" would imply that it is not possible to have users in local groups.
> 
> plus, if we name it "domain group file" then we really need "smb password
> file" to be renamed "domain password file".
> 
> plus, in the case of when you are a member of a domain, this option still
> has relevance
> 
> in this case:
> 
> - the smb passwd file becomes a list of local accounts
> - the smb group file can contain only local groups (no domain groups).
> 

But that is the purpose of the UNIX /etc/group file. You
do not need another group file in the "member of a domain"
case.

Remember, in the case of a Samba server which is a member
of a domain, the UNIX /etc/group file (or whatever remote
queried equivalent) specifies what groups a particular
user is in. It is this group list that is used by Samba
to setgroups() to when Samba becomes the UNIX uid for
that user. It is this group that defines the access
permissions for smbd on behalf of that user. All the
groups in that list are, by definition, groups *local*
to that UNIX server.

Samba servers that are members of a domain can have
no concept of "Domain" groups - such a thing simply
doesn't exist in UNIX.

Now Samba acting as a PDC needs to serve out Domain
groups to NT clients and server. These systems understand
the difference between Local and Domain groups, so
such a file makes more sense in this case, as you want an
Administrator to be able to create arbitrarily named
Domain groups that users in the Domain SAM (in this
case the smbpasswd file) can be put into.

The original idea of the "groupname map" code was
to allow the UNIX /etc/groups database to be the
master group file for a system. However, as NT
systems tend to have specific meanings for groups
(eg. the Administrators group) then the groupname
map file was envisaged in a similar way as the username
map to allow the UNIX names to be mapped into the
NT names.

I think we need to have some serious discussions
about the use of groups in the code before you
check any of your changes into the code tree.

Currently I don't have your new phone number at
ISS, can you email it to me so we can chat about
this.

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

More information about the samba-ntdom mailing list