Dynamic groups (was Samba and groups > 16)
Jeremy Allison
jra at samba.org
Mon Mar 7 18:21:49 GMT 2005
On Mon, Mar 07, 2005 at 05:46:48PM +0100, Volker Lendecke wrote:
>
> Not possible. For each access denied from the kernel you would have to iterate
> through all groups that a user is in to retry, just in case some group
> membership would give him permission. The only real way around this is a
> user-space implementation of NT acls, but then you lose the unix
> interoperability.
It's not quite that bad - you can do a stat/getfacl to get the groups
list and iterate over the large numbers of groups that Samba stores in
the user token. But yeah, it's pretty bad :-).
> With Solaris you're stuck, sorry. That is just not usable in large AD
> environments.
That I'm agreed on :-).
Jeremy.
More information about the samba-technical
mailing list