do not support winbind users or groups in smb.confi without seciftying a domain

Andrew Bartlett abartlet at samba.org
Sun Nov 30 10:49:03 GMT 2003 

On Sun, 2003-11-30 at 15:04, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Bartlett wrote:
> 
> > This is what has me confused about this issue - if we can't 
>  > tell that this is a winbind group, and if nsswitch is
>  > actually working correctly, how is a winbind group any different
>  > from a local unix group?
> > 
> > I understand this means we cannot apply any 'is winbind group'
> > optimisations, but other than that, what is is about these 
>  > groups that causes things to break?
> 
> In theory you are correct but not in practice.  There are several
> hand tuned cases for winbindd in the smbd code.  I've had three
> or four bugs come up because of this.  The code doesn't work correctly 
> because no one ever ran the full series of tests.  And since the 
> original intent was to use 'winbind use default domain' for unix 
> services, i'm just suggesting that we stick with that plan.  It's no 
> help for smb.conf.

The only problem I can see is that we will be inconsistent between users
and groups.   I know you will really hate me now, but with 'winbind use
default domain', the 'users' part of the equation needs to *not* have
the domain prefix, while you propose that the groups must have it.

The thing is, we resolve all groups into a GID (this needs to be
optimised better for the winbind case) but we handle the users as a
string match.  This causes the 'REAM.FOO\user' v 'DOMAIN\user' bug. 
(where valid users gives us one, but the kerberos login gives the
other).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031130/0a953d35/attachment.bin

More information about the samba-technical mailing list