removing BUILTIN from winbind nested groups ?

Simo Sorce idra at
Fri Jun 17 08:09:23 GMT 2005

On Thu, 2005-06-16 at 15:06 -0500, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Simo Sorce wrote:
> > On Thu, 2005-06-16 at 13:15 -0500, Gerald (Jerry) Carter wrote:
> >> support for BUILTIN groups internally to smbd.  Create
> >> default memberships in the builtin groups.
> > 
> > I think this move would make migrations with vampire a possibile
> > nightmare, you may end up missing fundamental group memberships.
> If I can solve this issue, then are you on board ?

My thoughts are these:

On domain masters or domain members we should require winbind anyway.
Sooner or later the admin will want to set up a trust relationship or
use it as an authentication proxy etc... So I think that Volker's idea
of making it required by smbd (or even forked out by smbd on stratup)
is a good idea. 
On standalone servers I agree with John that winbind maybe too much.
Anyway beeing able to use nested groups on a standalone server is a very
useful thing even for standalone setups.

So my first choice is to make winbind a required (forked out ?)
component of samba, I would go even further by delegating to winbind any
SID-[UG]ID mapping by moving the idmap stuff inside it, I've recently
had problems with a migrated environment and SID mapping that made me
hate the fact that smbd does only algorithmic mapping regardless. I'm
not going into details anyway.

But, if you find out a sensible way to make the BUILTIN group being
managed by smbd with modifiable group membership (except for DOMAIN
\Domain Admins for example) I'm fine, I'm just a bit worried this
solution may simplify a few places in the code at the expenses of
compatibility and usability.


Simo Sorce    -  idra at
Samba Team    -
Italian Site  -

More information about the samba-technical mailing list