removing BUILTIN from winbind nested groups ?

Simo Sorce idra at samba.org
Fri Jun 17 08:09:23 GMT 2005


On Thu, 2005-06-16 at 15:06 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Simo Sorce wrote:
> > On Thu, 2005-06-16 at 13:15 -0500, Gerald (Jerry) Carter wrote:
> >> support for BUILTIN groups internally to smbd.  Create
> >> default memberships in the builtin groups.
> > 
> > I think this move would make migrations with vampire a possibile
> > nightmare, you may end up missing fundamental group memberships.
> 
> If I can solve this issue, then are you on board ?

My thoughts are these:

On domain masters or domain members we should require winbind anyway.
Sooner or later the admin will want to set up a trust relationship or
use it as an authentication proxy etc... So I think that Volker's idea
of making it required by smbd (or even forked out by smbd on stratup)
is a good idea. 
On standalone servers I agree with John that winbind maybe too much.
Anyway beeing able to use nested groups on a standalone server is a very
useful thing even for standalone setups.

So my first choice is to make winbind a required (forked out ?)
component of samba, I would go even further by delegating to winbind any
SID-[UG]ID mapping by moving the idmap stuff inside it, I've recently
had problems with a migrated environment and SID mapping that made me
hate the fact that smbd does only algorithmic mapping regardless. I'm
not going into details anyway.

But, if you find out a sensible way to make the BUILTIN group being
managed by smbd with modifiable group membership (except for DOMAIN
\Domain Admins for example) I'm fine, I'm just a bit worried this
solution may simplify a few places in the code at the expenses of
compatibility and usability.

Simo.

-- 
Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it


More information about the samba-technical mailing list