BUILTIN\{Administrators,Users}

Gerald (Jerry) Carter jerry at samba.org
Sat Feb 25 16:35:30 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Starting a new thread since this doesn't just apply
to Samba DCs.  This is background for everyone else....
Volker, just skip the next paragraph :-)

We need to be able to use the BUILTIN groups internally
for our security descriptors on registry keys, service
control objects, printer ACLs, etc...  This removes the
need to explicitly include any domain groups in the ACL
and makes the standalone server, domain server, and DC
work using a single security descriptor design.  This
is of course exactly how Windows does it.

My idea is to have 'winbind nested groups = yes'
automatically create a mapping for the Administrators
and Users BUILTIN groups.  Then we can simply add
The corresponding domain groups to the correct BUILTIN
group as part of the join process.  We can do the
same for a Samba DC.

As a side note regarding nested groups, we need to
preface the local group name with "MACHINENAME" due
to ambiguity when 'winbind use default domain' is
enabled.  This might not be the case when we move the
'default domain' logic into the winbind Unix client
code (i.e. wbinfo, ntlm_auth, libnss_winbind.so).
Have we done that already?  It's been a while since I
looked.




cheers, jerry
=====================================================================
I live in a Reply-to-All world                -----------------------
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEAIdSIR7qMdg1EfYRAoH5AJ4uHau5QCf9LryZd4x4w9xsEmcZ/gCdHvqk
8uQI72JV9mYMlBKMBHZm73I=
=xmKg
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list