blurb from release notes for 3.0.23b
Gerald (Jerry) Carter
jerry at samba.org
Mon Aug 7 16:43:49 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is this clear enough for everyone?
jerry
Member servers, domain accounts, and smb.conf
=============================================
Since Samba 3.0.8, it has been recommended that all domain
accounts listed in smb.conf on a member server be fully
qualified with the domain name. This is now a requirement.
All unqualified names are assumed to be local to the Unix
host, either as part of the server's local passdb or in
the local system list of accounts (e.g. /etc/passwd or
/etc/group).
The reason for this change is that smbd has transitioned
from access checks based on string comparisons to token
based authorization. All names are resolved to a SID and
they verified against the logged on user's NT user token.
Local names will resolve to a local SID, while qualified
domain names will resolve to the appropriate domain SID.
If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and
their tokens will be modified appropriately to reflect the
local SID and group membership.
For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.
[restricted]
path = /data
valid users = +"DOMAIN\Linux Admins" +srvadmin
Note that to restrict the [homes] share on a member server, it
is necessary to prefix the %S valid to "valid users".
[global]
security = {domain,ads}
workgroup = DOM
winbind separator = +
[homes]
valid users = DOM+%S
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE123FIR7qMdg1EfYRAitcAJ9zMMpw2Y4tCRpfR7+WScEt9LjqiACfcbPH
Gx9hVeZfd01/L4IPcnSTrLs=
=E9ef
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list