BUILTIN\{Administrators,Users}

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Feb 26 18:36:55 GMT 2006


On Sat, Feb 25, 2006 at 10:35:30AM -0600, Gerald (Jerry) Carter wrote:
> My idea is to have 'winbind nested groups = yes'
> automatically create a mapping for the Administrators
> and Users BUILTIN groups.  Then we can simply add
> The corresponding domain groups to the correct BUILTIN
> group as part of the join process.  We can do the
> same for a Samba DC.

"create a mapping" implies that we find a unix-gid for the
BUILTIN alias. Out of the blue this only works with winbind
around, that's the only one who can allocate gids. Without
we just can't map Users and Administrators.

We have two uses for the BUILTIN groups: One is for our
internal se_access_check. This only looks at the SIDs in the
token. The other one is to make use of unix access
permissions. For the latter one we need a gid, for the
former we don't.

The main reason you cite is that you want to make full use
of security descriptors on registry objects & friends and
not look at for example geteuid() anymore. Right? For this
use it is fully sufficient to just add the S-1-5-32-xx to
the token upon login time, there's no need to actually have
a mapping. So we could even use that with 'winbind nested
groups = no', as it happens with your trick to add
builtin\admins if we're a domain admin.

What do you think about a policy where if the two BUILTIN
groups are not explicitly defined as mappings by the admin,
apply default memberships. I could imagine your domain
admins group as well as having geteuid()==0 to qualify to be
in BUILTIN\Administrators.

What do you need BUILTIN\Users for? Isn't this more like
S-1-5-11 (Authenticated Users)? In what security descriptors
do you have those?

If BUILTIN\Administrators is explicitly mapped, then give
the admin full control. Irrespective of 'winbind nested
groups = yes/no' do not look at Domain Administrators or
geteuid()==0 but strictly follow who's in the group.

For legacy reasons I would regard a mapping to gid -1 to not
exist. In this case we should fall back to the defaults.

> As a side note regarding nested groups, we need to
> preface the local group name with "MACHINENAME" due
> to ambiguity when 'winbind use default domain' is
> enabled.  This might not be the case when we move the
> 'default domain' logic into the winbind Unix client
> code (i.e. wbinfo, ntlm_auth, libnss_winbind.so).
> Have we done that already?  It's been a while since I
> looked.

No, haven't come around yet to do anything about it.

Volker

P.S: Hey, cool. We can reasonably discuss about BUILTIN now,
now that we have the infrastructure around :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060226/374b6f9b/attachment.bin


More information about the samba-technical mailing list