New Unix user and group domain
Gerald (Jerry) Carter
jerry at samba.org
Sun Feb 26 19:49:48 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Volker Lendecke wrote:
> On Sat, Feb 25, 2006 at 11:49:49AM -0600, Gerald (Jerry) Carter wrote:
>> The scenario I was thinking of was a Samba member server
>> in a Samba domain sharing a uid/gid name (no \unixinfo
>
> This is the 'trusted domains only = yes'?
Yes.
>
>> pipe yet). When we create the token for the user from
>> the NET_USER_INFO_3. Don't we need those SIDs ?
>
> Right, here we probably need those. We used to have the
> algorithmic fallback ones in place here. As the S-1-22 SIDs
> are completely new, adding them as auxiliary groups in the
> INFO3 does not hurt anybody out there.
>
>> Now granted that domain groups are broken in this
>> scenario without the \unixinfo pipe support since the
>> sid_to_gid() will fail. So are we any worse off now?
>
> No, it should not fail. 'trusted domains only = yes' goes
> via the name.
As long as the S-1-22-2-${gid} groups are included in the
NET_USER_INFO_3, then I agree.
>
>> Probably not as long as the unmapped groups continue
>> to work as they do in 3.0.21. Make sense?
>
> That's the point: They don't. Under option (c) (we just
> don't care) they would not show up in the samba member's
> token.
They unmapped groups must be included in token and
therefore in the NET_USER_INFO_3.
Can you just give me a yes or no here. Should the
S-1-22-2-${gid} groups be included in the NET_USER_INFO_3
as part of the net_samlogon() reply from the Samba DC?
I believe they should or else the user's token on the
member server will not contain the correct groups.
'winbind trusted domains only = yes' only deals with
sid_to_gid() for our domain. It has not effect on the
groups that appear in the token to being with.
We might be saying the same thing, I'm just having a
hard time interpreting your position on this.
>> OK. That's fine. an we just say then that local groups
>> require 'winbind nested groups = yes' ?
>
> Yes. As we discussed a while ago, this should be the new
> default I think.
ok. Would you make the change to loadparm.c then please?
>
> The notable exception here should be the
> BUILTIN\Administrators with some to be discussed defaults.
> This does not count as a local group in the strictest sense,
> this should become our default way of asking "Am I root?".
I'll hit this topic in the other mail later on.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEAgZbIR7qMdg1EfYRApI7AKDJiHJdt8eseI22KkF4EfMAHx7PUgCfXuwL
0qtl4bwrQG6NY0Cb2eB1XFU=
=2mQh
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list