Q: winbindd, unqualfied users, & name conflicts (a.k.a "Deathto
'winbind use default domain'!")
Gerald (Jerry) Carter
jerry at samba.org
Thu Jul 20 18:52:26 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Dave Daugherty wrote:
> My opinion:
> Local users should always take precedence.
> People should specifically refer to local users as
> <SambaHostName>\localuser, if that is the form the
> SMB client insists on sending.
> Tacking on default domains and/or stripping
> domains to/from user names and "trying them out" is playing
> fast and loose with user identity and
> is a breeding ground for potential security holes.
I don't think you fully understand the problem. We're
talking about Unix shell tools, not SMB clients. A local
username is always unqualfied when sent by Unix tools like
'id' to query group membership. A domain user may or may
not be qualfied so how do you know an unqualified domain
user from a normal local user? For example,
With 'winbind use default domain = no'
With 'winbind use default domain = yes'
the problem is that when guesing the domain, we assume
the Windows domain name. Prior to querying group membership,
we do a lookup_name() query to the DC for this name
(DOMAIN\jerry) which fails since it is a local user.
So any local groups are excluded from the getgroups()
*This* ambiguity is why I will be removing the geuss
work from the server code in 3.0.24.
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical