removing BUILTIN from winbind nested groups ?
idra at samba.org
Fri Jun 17 08:09:23 GMT 2005
On Thu, 2005-06-16 at 15:06 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Simo Sorce wrote:
> > On Thu, 2005-06-16 at 13:15 -0500, Gerald (Jerry) Carter wrote:
> >> support for BUILTIN groups internally to smbd. Create
> >> default memberships in the builtin groups.
> > I think this move would make migrations with vampire a possibile
> > nightmare, you may end up missing fundamental group memberships.
> If I can solve this issue, then are you on board ?
My thoughts are these:
On domain masters or domain members we should require winbind anyway.
Sooner or later the admin will want to set up a trust relationship or
use it as an authentication proxy etc... So I think that Volker's idea
of making it required by smbd (or even forked out by smbd on stratup)
is a good idea.
On standalone servers I agree with John that winbind maybe too much.
Anyway beeing able to use nested groups on a standalone server is a very
useful thing even for standalone setups.
So my first choice is to make winbind a required (forked out ?)
component of samba, I would go even further by delegating to winbind any
SID-[UG]ID mapping by moving the idmap stuff inside it, I've recently
had problems with a migrated environment and SID mapping that made me
hate the fact that smbd does only algorithmic mapping regardless. I'm
not going into details anyway.
But, if you find out a sensible way to make the BUILTIN group being
managed by smbd with modifiable group membership (except for DOMAIN
\Domain Admins for example) I'm fine, I'm just a bit worried this
solution may simplify a few places in the code at the expenses of
compatibility and usability.
Simo Sorce - idra at samba.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it
More information about the samba-technical