svn commit: samba r5058 - branches/SAMBA_3_0/source/passdb trunk/source/passdb

[Guenther Deschner]

Hi,

On Sun, Jan 30, 2005 at 10:24:05PM +1100, Andrew Bartlett wrote:
> > Sorry Guenther
> > are you sure this modification do not make us inconsistent ?
> > 
> > What are you trying to "fix" here exactly?

The point is: we always returned the first entry of "admin users",
regardless of what mapping we had in passdb. 

Leading to nice effects like

  admin users = trustdoma\administrator trustdomb\administrator root administrator..

gives you

  a mydomain\trustdoma\administrator when looking up $MYDOMSID-500 (e.g.
in security tab of file-acls, etc.)

This is very wrong, IMHO. So I first pushed that evaluation *below* the
passdb query to give "administrator" at least a chance to be found in
passdb and later removed the admin-user list query completly because it's
just wrong. 

> At one point, it was my view that we should map this to 'root' (uid==0)
> by force.  I was told that we should use 'admin users' for that, and
> that's how we got here.  To my mind, the correct solution is to require
> a passdb entry for root (like we do for nobody), and to likewise make
> the forced mapping in pdb_smbpasswd.

I guess for smbpasswd we could use the username-map to have a mapping
here. Again, returning first entry of admin users was not the right
approach.

Guenther

-- 
Guenther Deschner                                               Samba Team
SerNet GmbH - Goettingen                                      gd at samba,org
gd at sernet.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050130/762c5a7b/attachment.bin