FIxed [was Re: Authentication through transitive trusts]

[Esh, Andrew]

In "let them choose", who is "them"? NFS users?

The windows client gets the list of users to apply for an ACL directly from
the domain. If your system pulls in a list and lets them choose the users as
if they are local to the Samba server, then it's doing a user identity
translation in both directions that isn't needed at all. Let the client
choose users and groups from the domain, and then they will send you the ACL
list with the SIDs for each entry already set.

If you're pulling in the list to do UID mapping between Windows and NFS,
good luck.

I suppose it would be nice if wbinfo -u took an optional domain name
argument, to scope the output.

-----Original Message-----
From: Ken Cross [mailto:kcross at nssolutions.com]
Sent: Thursday, August 07, 2003 6:10 AM
To: 'Gerald (Jerry) Carter'
Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
Subject: RE: FIxed [was Re: Authentication through transitive trusts]


> > 
> > How 'bout we add a switch to wbinfo (and appropriate support in 
> > winbindd) to limit the list on -u or -g to the domain we 
> have joined, 
> > or some specific domain.  Maybe --domain=<domain-name> 
> (with something 
> > like "." for the domain we joined)?
> 
> why are you running 'wbinfo -u'?  What purpose does it serve 
> other than 
> debugging?  Are you piping the users to another program?
> 

Yep.  It's used to manage ACLs.  Domain users/groups can be added to ACLs,
so we present a list and let them choose.

Consequently, we need to authenticate against any domain, but be able to
limit the list to a reasonable size.  

Currently, the list from wbinfo -u is just the domain we joined or *all*
domains.  Some other options would be useful.

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com