What is left for 3.0.20a ?
Gerald (Jerry) Carter
jerry at samba.org
Wed Sep 28 21:15:29 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guenther Deschner wrote:
| The wrong user and primary group sid in the NT
| Token resulting from reply_spnego_kerberos (solved
| in trunk by using the PAC) is really something
| drastic, IMHO.
|
| As we need to solve the case where a user does not get a
| PAC from a KDC (by intention) anyway, we could add
| these calls maybe now for 3.0.20a.
I'm a little nervous about the PAC work. I'd rather just
post it as a diff on the patches page until it gets some
more mileage.
| And there is another builtingroup scope mismatch I
| just found out:
|
| When a user is a member of a Builtin group in ADS (not
| a Domain Local Group!), that Builtin SID is returned by
| lookup_usergroups in the user's SIDs array and then put
| into the user's token. When by coincidence an Admin
| created a Builtin group with the same Builtin SID
| on the Samba server to assign privileges to a group
| with assured local scope, then that ADS user
| suddenly benefits from extra rights on the samba server :)
| Winbind expands unwillingly the scope of builtin
| groups here.
I'm going to merge this one in though.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD4DBQFDOwfxIR7qMdg1EfYRArHzAJUakUQBMXDbTi3YsEpD1jYAC5ekAKDN/RDG
EPASscR34fjyl92qarUwrA==
=BXXj
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list