New Unix user and group domain

Gerald (Jerry) Carter jerry at samba.org
Sun Feb 26 19:49:48 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Lendecke wrote:
> On Sat, Feb 25, 2006 at 11:49:49AM -0600, Gerald (Jerry) Carter wrote:
>> The scenario I was thinking of was a Samba member server
>> in a Samba domain sharing a uid/gid name (no \unixinfo
> 
> This is the 'trusted domains only = yes'?

Yes.

> 
>> pipe yet).  When we create the token for the user from
>> the NET_USER_INFO_3.  Don't we need those SIDs ?
> 
> Right, here we probably need those. We used to have the
> algorithmic fallback ones in place here. As the S-1-22 SIDs
> are completely new, adding them as auxiliary groups in the
> INFO3 does not hurt anybody out there.
> 
>> Now granted that domain groups are broken in this
>> scenario without the \unixinfo pipe support since the
>> sid_to_gid() will fail.  So are we any worse off now?
> 
> No, it should not fail. 'trusted domains only = yes' goes
> via the name.

As long as the S-1-22-2-${gid} groups are included in the
NET_USER_INFO_3, then I agree.

> 
>> Probably not as long as the unmapped groups continue
>> to work as they do in 3.0.21.  Make sense?
> 
> That's the point: They don't. Under option (c) (we just
> don't care) they would not show up in the samba member's
> token.

They unmapped groups must be included in token and
therefore in the NET_USER_INFO_3.

Can you just give me a yes or no here.  Should the
S-1-22-2-${gid} groups be included in the NET_USER_INFO_3
as part of the net_samlogon() reply from the Samba DC?

I believe they should or else the user's token on the
member server will not contain the correct groups.
'winbind trusted domains only = yes' only deals with
sid_to_gid() for our domain.  It has not effect on the
groups that appear in the token to being with.

We might be saying the same thing, I'm just having a
hard time interpreting your position on this.

>> OK. That's fine.  an we just say then that local groups
>> require 'winbind nested groups = yes' ?
> 
> Yes. As we discussed a while ago, this should be the new
> default I think.

ok.  Would you make the change to loadparm.c then please?

> 
> The notable exception here should be the
> BUILTIN\Administrators with some to be discussed defaults.
> This does not count as a local group in the strictest sense,
> this should become our default way of asking "Am I root?".

I'll hit this topic in the other mail later on.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEAgZbIR7qMdg1EfYRApI7AKDJiHJdt8eseI22KkF4EfMAHx7PUgCfXuwL
0qtl4bwrQG6NY0Cb2eB1XFU=
=2mQh
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list