Q: winbindd, unqualfied users, & name conflicts (a.k.a "Deathto 'winbind use default domain'!")

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 20 18:52:26 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Daugherty wrote:
> My opinion:
> 
> Local users should always take precedence. 
> 
> People should specifically refer to local users as
> <SambaHostName>\localuser, if that is the form the 
> SMB client insists on sending.
> 
> Tacking on default domains and/or stripping 
> domains to/from user names and "trying them out" is playing
> fast and loose with user identity and
> is a breeding ground for potential security holes.

Dave,

I don't think you fully understand the problem.  We're
talking about Unix shell tools, not SMB clients.  A local
username is always unqualfied when sent by Unix tools like
'id' to query group membership.  A domain user may or may
not be qualfied so how do you know an unqualified domain
user from a normal local user?   For example,

With 'winbind use default domain = no'

$ id
uid=780(jerry) gid=100(users)
groups=16(dialout),33(video),100(users),10001(BUILTIN\users),
10007(SUSE10\developers)

With 'winbind use default domain = yes'

$ id
uid=780(jerry) gid=100(users)
groups=16(dialout),33(video),100(users)

the problem is that when guesing the domain, we assume
the Windows domain name.  Prior to querying group membership,
we do a lookup_name() query to the DC for this name
(DOMAIN\jerry) which fails since it is a local user.
So any local groups are excluded from the getgroups()
return.

*This* ambiguity is why I will be removing the geuss
work from the server code in 3.0.24.





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv9DpIR7qMdg1EfYRAhMoAJ9mu5FujBGJgheCqD57c5BC4VUQ6ACfU4SA
nKAFtPFGUBQa7CyY0QKrdk4=
=Yc53
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list