'force user' broken for winbind users?

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jan 12 22:25:03 GMT 2006


Looking at the group membership functions a bit closer I came across the force
user code. Depending on the Windows versions it is impossible to reliably
figure out the groups a user is member of without actually logging in. So
consequentially force user = winbind-user is bound to fail sooner or later.
force group might be ok, this just sets the primary group. But force user not
only sets the uid but also the list of groups the forced user is in.

It might happen that due to a service pack installed or some other tightening
is being done on the DC the list of groups does not work correctly anymore, as
winbind is not able to retrieve them.

When going through that code, can we restrict 'force user' to pure non-winbind
nss based users that we have control over?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060112/d117550b/attachment.bin

More information about the samba-technical mailing list