What is left for 3.0.20a ?

Gerald (Jerry) Carter jerry at samba.org
Wed Sep 28 21:15:29 GMT 2005

Hash: SHA1

Guenther Deschner wrote:

| The wrong user and primary group sid in the NT
| Token resulting from reply_spnego_kerberos (solved
| in trunk by using the PAC) is really something
| drastic, IMHO.
| As we need to solve the case where a user does not get a
| PAC from a KDC (by intention) anyway, we could add
| these calls maybe now for 3.0.20a.

I'm a little nervous about the PAC work.  I'd rather just
post it as a diff on the patches page until it gets some
more mileage.

| And there is another builtingroup scope mismatch I
| just found out:
| When a user is a member of a Builtin group in ADS (not
| a Domain Local Group!), that Builtin SID is returned by
| lookup_usergroups in the user's SIDs array and then put
| into the user's token. When by coincidence an Admin
| created a Builtin group with the same Builtin SID
| on the Samba server to assign privileges to a group
| with assured local scope, then that ADS user
| suddenly benefits from extra rights on the samba server :)
| Winbind expands unwillingly the scope of builtin
| groups here.

I'm going to merge this one in though.

cheers, jerry
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba-technical mailing list