'force user' broken for winbind users?
Volker Lendecke
Volker.Lendecke at SerNet.DE
Fri Jan 13 13:05:12 GMT 2006
On Fri, Jan 13, 2006 at 09:01:23PM +1100, Andrew Bartlett wrote:
> Indeed! This area has been too wishy-washy in past.
What we can reliably do is to provide correct group lists for users that have
authenticated via winbind.
We can also provide a reliable uid for all others via lsa_lookupnames and id
mapping. But that's about it. Everything else like enumerating users and
groups, enumerating group membership info and so just does not work.
The underlying reason is simple: Windows clients *never* do this.
Except when setting ACLs. And during that process a popup windows is shown
where the user should type in a username and password that is privileged to
query all the info necessary. Winbind even with --set-auth-user does not have
the necessary privileges, we would need separate administrator on all trusted
domains to do the things we need reliably. Not a very realistic option I think.
So one possibility would be to default 'winbind enum users/groups' to no so
that people are aware of it.
Another radical one would be to simply not calculate group memberships anymore
for initgroups() if there is no netsamlogon cache around. We can add an option
like 'winbind expand groups' that defaults to no so that admins explicitly have
to activate it, but with a warning in the manpage that this is bound to break.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/98b18196/attachment.bin
More information about the samba-technical
mailing list