Upgrade issue with 3.0.21b->3.0.22

Gerald (Jerry) Carter jerry at samba.org
Thu Feb 9 23:14:42 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Lendecke wrote:

>>> Whatever we do, we will need to plaster an upgrade HOWTO
>>> in some very visible places (not just the release notes).
>>> Other than the primary group SID and object ACLs on
>>> client NTFS partitions, what are the other problematic cases?
> 
> It's not only the primary group, it's all groups that a user
> is member of.

True.  But the primary group SID is a much more likely
problem for an admin to hit IMO.  We have to solve that one.
I guess I will concede that it is really just a subset
of the "SIDs in a security descriptor" problem.  Solve the
latter and you have solved the former.

>>> Can we simply ignore the primaryGroupSID from the passdb 
>>> objects and force the Domain Users SID (requiring that
>>> the admin has setup a mapping for this one group)?  This
>>> would be in the NT_USER_TOKEN only and not affect
>>> the Unix token.
> 
> In the end, I'd like to be able to ignore the
> primaryGroupSid attribute. We can not default to domain
> users I think, users don't have to be in that group at all.

Do you still feel this way given my recent testing against
Standalone windows servers?  We could mimic that behavior.
In the end though it is similar to auto mapping groups.

One problem with any auto mapping of groups is that
things behave differently depending on whether you are
using a tdb or an LDAP directory.  See my previous
posts about smbd failing to start since the guest
user doesn't exist and the Domain Guests group mapping
entry fails.

>> Therefore I would really like to finish the \unixinfo pipe
>> you started since IMO it is a piece of the complete deployment
>> solution.  Any objections there ?
> 
> No, not at all. I'd be happy to see that proceed. I'm not
> sure that I'm happy with the current IDL though. For speed
> reasons, all calls should take arrays of the respective
> objects. Otherwise a 'getent passwd' will be a complete
> nightmare speedwise.

I'll plan to work on it some but I think the \unixinfo pipe
will have to be pushed off to 3.0.23 realistically.  There's
too much to finish on the current user/group rewrite.







cheers, jerry
=====================================================================
I live in a Reply-to-All world.               -----------------------
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD68ziIR7qMdg1EfYRAv2BAJ0VIsn2b51c/N1hnBecqRNA4TwlSACfTXWk
5+3Ugh6FLI66wyhHEP/FH3U=
=lUNZ
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list