svn commit: samba r5058 - branches/SAMBA_3_0/source/passdb
trunk/source/passdb
Guenther Deschner
gd at samba.org
Sun Jan 30 11:44:59 GMT 2005
Hi,
On Sun, Jan 30, 2005 at 10:24:05PM +1100, Andrew Bartlett wrote:
> > Sorry Guenther
> > are you sure this modification do not make us inconsistent ?
> >
> > What are you trying to "fix" here exactly?
The point is: we always returned the first entry of "admin users",
regardless of what mapping we had in passdb.
Leading to nice effects like
admin users = trustdoma\administrator trustdomb\administrator root administrator..
gives you
a mydomain\trustdoma\administrator when looking up $MYDOMSID-500 (e.g.
in security tab of file-acls, etc.)
This is very wrong, IMHO. So I first pushed that evaluation *below* the
passdb query to give "administrator" at least a chance to be found in
passdb and later removed the admin-user list query completly because it's
just wrong.
> At one point, it was my view that we should map this to 'root' (uid==0)
> by force. I was told that we should use 'admin users' for that, and
> that's how we got here. To my mind, the correct solution is to require
> a passdb entry for root (like we do for nobody), and to likewise make
> the forced mapping in pdb_smbpasswd.
I guess for smbpasswd we could use the username-map to have a mapping
here. Again, returning first entry of admin users was not the right
approach.
Guenther
--
Guenther Deschner Samba Team
SerNet GmbH - Goettingen gd at samba,org
gd at sernet.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050130/762c5a7b/attachment.bin
More information about the samba-technical
mailing list