removing BUILTIN from winbind nested groups ?

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Jun 15 10:47:44 GMT 2005

On Tue, Jun 14, 2005 at 01:47:30PM -0500, Gerald (Jerry) Carter wrote:
> How would you feel about removing the BUILTIN domain from
> winbind nested groups and restricting winbind to local
> administrator defined groups.  My reasoning for this is

What you want as far as I can tell is to have a static security descriptor
giving S-1-5-32-544 (BUILTIN\Administrators) a special
right. BUILTIN\Administrators is a local group that can have for example
DOMAIN\"Domain Admins" as a member. 

We came to the conclusion that for any kind of nested groups winbind is
mandatory, so one way to solve this is to force winbind always. We could make
smbd fork winbind if it's not there.

In the current setup this would not work on installations that don't have a
working nss_winbind as nested group expansion works via nss currently.

For purely samba-internal purposes, is there a real reason to for this link to
NSS? If we had winbind around always, would it be an option to have a winbind
operation along the lines of samr_GetAliasMembership: Give winbind a list of
SIDs and return the list of SIDs augmented by the list of aliases any of the
SIDs is member of? This would be called in make_server_info, the additional
SIDs could then be sent trough sid2gid to augment the unix token. If the
sid2gid calls fail for the aliases this means no nss_winbind is around (idmap
working without nss_winbind is broken and needs detecting) and we don't put
the gid's into the unix token but keep the alias SIDs around for internal
Samba permission checking.

Having winbind around always has the potential to also simplify a lot of other
code in smbd I think, but I'm not sure this isn't too radical.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list