removing BUILTIN from winbind nested groups ?

Gerald (Jerry) Carter jerry at
Tue Jun 14 18:47:30 GMT 2005

Hash: SHA1


How would you feel about removing the BUILTIN domain from
winbind nested groups and restricting winbind to local
administrator defined groups.  My reasoning for this is

(a) builtin groups don't give us any more advantage
than local groups from a unix perspective

(b) I want to simplify smbd's internal security descriptor
creation for pipes and services (e.g. samr, svcctl, etc...)

The second point is really my driving focus here.  Currently
when we create a security descriptor for a printer, or service,
or samr domain object, we have to take into account3 scenarios:
a  member server, a domain controller, and a standalone server.
I would like to hard code some memberships in the BUILTIN groups
into smbd so that I can just deal with the BUILTIN\Administrators
group (like windows does) and have the SIDs added to the user
token at session setup.

There are some limitation here in that a user cannot modify
the membership of builtin groups, but the advantage of it is that
things just work.  We have one case to consider when create
security descriptors.  And we get this without requiring
winbind nested groups or any extra setup on the admin's side.

And I'm still working on Simo comments from a feew weeks back
about local groups and ldapsam.

cheers, jerry

Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list