get_domain_user_groups() improvement.

Andrew Bartlett abartlet at
Fri Sep 24 22:32:33 GMT 2004

On Sat, 2004-09-25 at 08:24, Volker Lendecke wrote:
> On Sat, Sep 25, 2004 at 08:12:46AM +1000, Andrew Bartlett wrote:
> > In the past, we have had a parameter 'ldap trust ids'.  It was pulled
> I'm not sure I'm entirely comfortable with that idea. There was a reason why
> that parameter was removed, although I don't remember it anymore.

The parameter was removed because the code morphed into a form that
didn't use it.  That was unfortunate, as at one point it actually fixed
your biggest bug-bear - the sambaPrimaryGroupSid.

> The reason I'm worried is that this is really security-sensitive stuff.

So is everything else we have in LDAP.  So I don't think 'can we trust
the data in ldap' is really the question.  I agree that some of our more
insane admins might put completely conflicting data in ldap compared to
NSS, but we already have such a tight dependency there for groups

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Authentication Developer, Samba Team  
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list