What is left for 3.0.20a ?

Guenther Deschner gd at samba.org
Fri Sep 23 19:55:28 GMT 2005

Hi Jerry,

On Fri, Sep 23, 2005 at 12:53:25PM -0500, Gerald (Jerry) Carter wrote:
> Guys,
> What outstanding bugs do you for 3.0.20a?  I just want to
> create a concise list that we can use to judge when it
> is time to ship.

* security = ads

The wrong user and primary group sid in the NT Token resulting from
reply_spnego_kerberos (solved in trunk by using the PAC) is really
something drastic, IMHO. 

As we need to solve the case where a user does not get a PAC from a KDC
(by intention) anyway, we could add these calls maybe now for 3.0.20a.

And there is another builtingroup scope mismatch I just found out:

When a user is a member of a Builtin group in ADS (not a Domain Local
Group!), that Builtin SID is returned by lookup_usergroups in the user's
SIDs array and then put into the user's token. When by coincidence an
Admin created a Builtin group with the same Builtin SID on the Samba
server to assign privileges to a group with assured local scope, then that
ADS user suddenly benefits from extra rights on the samba server :)
Winbind expands unwillingly the scope of builtin groups here.


Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd at suse.de
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050923/5d44e941/attachment.bin

More information about the samba-technical mailing list