do not support winbind users or groups in smb.confi
without seciftying a domain
Andrew Bartlett
abartlet at samba.org
Sun Nov 30 10:49:03 GMT 2003
On Sun, 2003-11-30 at 15:04, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrew Bartlett wrote:
>
> > This is what has me confused about this issue - if we can't
> > tell that this is a winbind group, and if nsswitch is
> > actually working correctly, how is a winbind group any different
> > from a local unix group?
> >
> > I understand this means we cannot apply any 'is winbind group'
> > optimisations, but other than that, what is is about these
> > groups that causes things to break?
>
> In theory you are correct but not in practice. There are several
> hand tuned cases for winbindd in the smbd code. I've had three
> or four bugs come up because of this. The code doesn't work correctly
> because no one ever ran the full series of tests. And since the
> original intent was to use 'winbind use default domain' for unix
> services, i'm just suggesting that we stick with that plan. It's no
> help for smb.conf.
The only problem I can see is that we will be inconsistent between users
and groups. I know you will really hate me now, but with 'winbind use
default domain', the 'users' part of the equation needs to *not* have
the domain prefix, while you propose that the groups must have it.
The thing is, we resolve all groups into a GID (this needs to be
optimised better for the winbind case) but we handle the users as a
string match. This causes the 'REAM.FOO\user' v 'DOMAIN\user' bug.
(where valid users gives us one, but the kerberos login gives the
other).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031130/0a953d35/attachment.bin
More information about the samba-technical
mailing list