New approach to "valid users" fix

Gerald (Jerry) Carter jerry at
Mon Aug 21 20:10:30 GMT 2006

Hash: SHA1

(Back from Linuxworld and back on code....)

simo wrote:
> On Sat, 2006-08-12 at 13:56 -0500, Gerald (Jerry) Carter wrote:
>> It's a pretty big bug actually if you copy files from
>> the Samba box to a local NTFS partition on a Windows
>> client.  We'll have to fix this, but I need to think
>> about it some.
> I think that part of the problem is that we don't let 
> idmap do it's work alone, but often we check for
> idmap ranges outside of idmap instead of just
> trusting what idmap does.   I think that idmap
> ranges should be checked only inside idmap by the
> modules that really depends on them, and let 
> the user decide whether to enforce them or not (or
> perhaps use them as filters) for modules that do
> not control the mappings (or potentially don't) 
> like idmap_ad and idmap_ldap.

I think there are two different problems.  Once
is that winbind is authoritative for the uid/gid
even though it did not allocate it.  The other is
that Unix users/groups should be implicitly mapped
back to a domain user/group in order tyo report the
correct SID in an ACL.

We use to get case #2 correct and I think I can fix this for
3.0.23c.  The first one has always been a problem I think
and would be more on target for the next upgarde version
(3.0.24, 3.0.25, etc...).

cheers, jerry

Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list