Domain local groups?
Gerald (Jerry) Carter
jerry at samba.org
Tue Apr 5 15:59:59 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Volker Lendecke wrote:
| The last line seems broken to me. Domain is the user's domain.
| This means that we only expand domain domain local groups if the
| user asking is in our primary domain. Trusted domains are never
| expanded. Attached find a fix for this case.
Here's the conclusion volker and I came to in #samba-technical a few
<jerry> vl: ok. I think I understand.
<jerry> vl: when I re-read the section on group type and group scope
this is what I get:
<jerry> obviously local groups can contain SID's for users and groups
outside its own domain.
<jerry> But the scope of the group is different.
<jerry> a local group has a scope of the local machine
<jerry> on a DC, the domain local group as a scope of its domain.
<jerry> so in your example (the one you emailed to me).
<jerry> the doml1 group is enforced on the XP client because the client
is in the same domain as the doml1 group.
<jerry> but the WINDOWS domain (assumign another AD domain) would not be
able to use the doml1 group in ACLs.
<jerry> Although you could add that sid manually to an acl, it would not
<jerry> This is why the enumeration of domain local groups is only
available to members of that domain.
<jerry> so then the code at line 1130 in winbindd_group.c is wrong.
<jerry> we should allow domain local groups from the USER_INFO_3 when
that domain local group is from *our* domain.
<jerry> The user's domain doesn't really matter.
<jerry> does this match what you think ?
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical