ignore primaryGroupSID == making initial server setup easy
Gerald (Jerry) Carter
jerry at samba.org
Fri Feb 17 19:52:28 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Volker,
I think that dealing with a new server setup and upgrading
an existing server have different requirements. I think that
by simply ignoring the primaryGroupSID atribute and deriving
it strictly from the unix primary primary group we avoid the
problem creating the initial guest account SAM structure,
therefore making smbd startup simple.
By forcing the primary group RID to be 513 (in the event
that the SID does not have a mapping or is outside of the
server's SAM domain) we avoid the problem with smbpasswd -a
(without falling back to a RID algorithm).
And at the same time we do not really loose anything
important for upgraded servers since the primaryGroupSID
is really not important is most Windows installations
anyways.
Granted that this can cause the Unix and NT token in smbd
differ. I am ok with that. If an admin does not want
a user to default to being a part of 'Domain Users', then
he/she must set a valid group mapping for the Unix group.
So what is left is to figure out how to deal with the
security descriptor upgrade issue.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD9il8IR7qMdg1EfYRAi2pAJ4/aeMKpwepsG+tIwI27TlWJk9P6gCfTzMh
1ktqJwiaDFjf24dnFUBOxdQ=
=YYnx
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list