Upgrade issue with 3.0.21b->3.0.22

Gerald (Jerry) Carter jerry at samba.org
Wed Feb 8 18:18:38 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Lendecke wrote:
> On Wed, Feb 08, 2006 at 10:31:10AM -0600, Gerald (Jerry) Carter wrote:
>>> Whatever we do, we will need to plaster an upgrade HOWTO
>>> in some very visible places (not just the release notes).
>>> Other than the primary group SID and object ACLs on
>>> client NTFS partitions, what are the other problematic cases?
> 
> It's not only the primary group, it's all groups that a user
> is member of.

Right.  But I was talking of 2 different issues.   One is that
the primaryGroup must be within the same domain as the
User's SID.  The second is any groups that exist in security
descriptors which are potentially invalid after the upgrade.


> In the end, I'd like to be able to ignore the
> primaryGroupSid attribute. We can not default to 
> domain users I think, users don't have to be in
> that group at all.

I realize that but (a) Domain Users has a well known Rid,
and (b) my admins are used to that by convention.

> And I don't like the idea that we have a special 
> case for the domain users SID. Even if it works
> now, sooner or later someone is breaking it
> by adding the unix group that domain users was
> mapped to.

I'm suggesting that we force the admin to define one
Unix group as the 'Domain Admins' group and establish
that mapping.  The alternative is to map *every* unix
group into the machine SID domain since it is possible
for any Unix group to be the primary group of a user.
I suggesting that we just force the Admin to pick one
and only one that must be mapped.

>> Therefore I would really like to finish the \unixinfo pipe
>> you started since IMO it is a piece of the complete deployment
>> solution.  Any objections there ?
> 
> No, not at all. I'd be happy to see that proceed. I'm not
> sure that I'm happy with the current IDL though. For speed
> reasons, all calls should take arrays of the respective
> objects. Otherwise a 'getent passwd' will be a complete
> nightmare speedwise.

I'll look into some more then.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD6jX+IR7qMdg1EfYRArLqAJ4swFRP1HrvroJbc6QOF95AwQSwSQCffacU
bk3V/dZf25mBtAzcee6wLKM=
=jV4M
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list