Domain local groups?

Gerald (Jerry) Carter jerry at
Tue Apr 5 15:59:59 GMT 2005

Hash: SHA1

Volker Lendecke wrote:

| The last line seems broken to me. Domain is the user's domain.
| This means that we only expand domain domain local groups if the
| user asking is in our primary domain. Trusted domains are never
| expanded. Attached find a fix for this case.

Here's the conclusion volker and I came to in #samba-technical a few
minutes ago.

<jerry> vl: ok.  I think I understand.
<jerry> vl: when I re-read the section on group type and group scope
this is what I get:
<jerry> obviously local groups can contain SID's for users and groups
outside its own domain.
<jerry> But the scope of the group is different.
<jerry> a local group has a scope of the local machine
<jerry> on a DC, the domain local group as a scope of its domain.
<jerry> so in your example (the one you emailed to me).
<jerry> the doml1 group is enforced on the XP client because the client
is in the same domain as the doml1 group.
<jerry> but the WINDOWS domain (assumign another AD domain) would not be
able to use the doml1 group in ACLs.
<jerry> Although you could add that sid manually to an acl, it would not
be enforced.
<jerry> This is why the enumeration of domain local groups is only
available to members of that domain.
<jerry> so then the code at line 1130 in winbindd_group.c is wrong.
<jerry> we should allow domain local groups from the USER_INFO_3 when
that domain local group is from *our* domain.
<jerry> The user's domain doesn't really matter.
<jerry> does this match what you think ?

cheers, jerry
Alleviating the pain of Windows(tm)      -------
GnuPG Key                -----
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list