FIxed [was Re: Authentication through transitive trusts]

Ken Cross kcross at nssolutions.com
Thu Aug 7 13:29:52 GMT 2003 

We provide a web-based GUI to let system administrators manage ACLs.  The
list of users/groups is clearly identified as to which domains they belong.
It's a convenience (but a big one).

User lists are used for other things as well.  For example, they can change
the UID assigned to a domain user through the GUI to match, say, NIS UIDs.
This, too, requires a list of users.

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Esh, Andrew [mailto:Andrew_Esh at adaptec.com] 
> Sent: Thursday, August 07, 2003 9:23 AM
> To: 'Ken Cross'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: FIxed [was Re: Authentication through transitive trusts]
> 
> 
> In "let them choose", who is "them"? NFS users?
> 
> The windows client gets the list of users to apply for an ACL 
> directly from the domain. If your system pulls in a list and 
> lets them choose the users as if they are local to the Samba 
> server, then it's doing a user identity translation in both 
> directions that isn't needed at all. Let the client choose 
> users and groups from the domain, and then they will send you 
> the ACL list with the SIDs for each entry already set.
> 
> If you're pulling in the list to do UID mapping between 
> Windows and NFS, good luck.
> 
> I suppose it would be nice if wbinfo -u took an optional 
> domain name argument, to scope the output.
> 
> -----Original Message-----
> From: Ken Cross [mailto:kcross at nssolutions.com]
> Sent: Thursday, August 07, 2003 6:10 AM
> To: 'Gerald (Jerry) Carter'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: FIxed [was Re: Authentication through transitive trusts]
> 
> 
> > > 
> > > How 'bout we add a switch to wbinfo (and appropriate support in
> > > winbindd) to limit the list on -u or -g to the domain we 
> > have joined,
> > > or some specific domain.  Maybe --domain=<domain-name>
> > (with something
> > > like "." for the domain we joined)?
> > 
> > why are you running 'wbinfo -u'?  What purpose does it serve
> > other than 
> > debugging?  Are you piping the users to another program?
> > 
> 
> Yep.  It's used to manage ACLs.  Domain users/groups can be 
> added to ACLs,
> so we present a list and let them choose.
> 
> Consequently, we need to authenticate against any domain, but 
> be able to
> limit the list to a reasonable size.  
> 
> Currently, the list from wbinfo -u is just the domain we 
> joined or *all*
> domains.  Some other options would be useful.
> 
> Ken
> ________________________________
> 
> Ken Cross
> 
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com 
>

More information about the samba-technical mailing list