svn commit: samba r5058 - branches/SAMBA_3_0/source/passdb trunk/source/passdb

Guenther Deschner gd at
Sun Jan 30 11:44:59 GMT 2005


On Sun, Jan 30, 2005 at 10:24:05PM +1100, Andrew Bartlett wrote:
> > Sorry Guenther
> > are you sure this modification do not make us inconsistent ?
> > 
> > What are you trying to "fix" here exactly?

The point is: we always returned the first entry of "admin users",
regardless of what mapping we had in passdb. 

Leading to nice effects like

  admin users = trustdoma\administrator trustdomb\administrator root administrator..

gives you

  a mydomain\trustdoma\administrator when looking up $MYDOMSID-500 (e.g.
in security tab of file-acls, etc.)

This is very wrong, IMHO. So I first pushed that evaluation *below* the
passdb query to give "administrator" at least a chance to be found in
passdb and later removed the admin-user list query completly because it's
just wrong. 

> At one point, it was my view that we should map this to 'root' (uid==0)
> by force.  I was told that we should use 'admin users' for that, and
> that's how we got here.  To my mind, the correct solution is to require
> a passdb entry for root (like we do for nobody), and to likewise make
> the forced mapping in pdb_smbpasswd.

I guess for smbpasswd we could use the username-map to have a mapping
here. Again, returning first entry of admin users was not the right


Guenther Deschner                                               Samba Team
SerNet GmbH - Goettingen                                      gd at samba,org
gd at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list