New approach to "valid users" fix
Gerald (Jerry) Carter
jerry at samba.org
Mon Aug 21 20:10:30 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(Back from Linuxworld and back on code....)
simo wrote:
> On Sat, 2006-08-12 at 13:56 -0500, Gerald (Jerry) Carter wrote:
>
>> It's a pretty big bug actually if you copy files from
>> the Samba box to a local NTFS partition on a Windows
>> client. We'll have to fix this, but I need to think
>> about it some.
>
> I think that part of the problem is that we don't let
> idmap do it's work alone, but often we check for
> idmap ranges outside of idmap instead of just
> trusting what idmap does. I think that idmap
> ranges should be checked only inside idmap by the
> modules that really depends on them, and let
> the user decide whether to enforce them or not (or
> perhaps use them as filters) for modules that do
> not control the mappings (or potentially don't)
> like idmap_ad and idmap_ldap.
I think there are two different problems. Once
is that winbind is authoritative for the uid/gid
even though it did not allocate it. The other is
that Unix users/groups should be implicitly mapped
back to a domain user/group in order tyo report the
correct SID in an ACL.
We use to get case #2 correct and I think I can fix this for
3.0.23c. The first one has always been a problem I think
and would be more on target for the next upgarde version
(3.0.24, 3.0.25, etc...).
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE6hM2IR7qMdg1EfYRAv80AKDVJdJikfUdj6aTMLi2uZGNk1nkeQCfcOtz
pgS7QcWYXcySKW+ssH20k2o=
=0a3C
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list