BUILTIN\{Administrators,Users}

Gerald (Jerry) Carter jerry at samba.org
Sun Mar 12 23:36:30 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Lendecke wrote:

>> I don't really have a current need for BUILTIN\Users so we
>> can drop that one.  I was just thinking of a general framework
>> for the BUILTIN principals.  But the method described could
>> apply to BUILTIN\Users as well.
> 
> True. But for for the 'restrict anonymous' stuff s-1-5-11
> seems more appropriate for me. But I'm fine with some
> defaults for BUILTIN\Users.

ok.  Let's deal with Administrators first and add BUILTIN\Users
only if there is a need.

>>> If BUILTIN\Administrators is explicitly mapped, then give
>>> the admin full control. Irrespective of 'winbind nested
>>> groups = yes/no' do not look at Domain Administrators or
>>> geteuid()==0 but strictly follow who's in the group.
>> I'm not sure I follow that first sentence.  For access checks
> 
> I meant that the human administrator of the box should have
> full control over who is member of S-1-5-32-544, I don't
> want any magic memberships :-)

ok.  That sounds fair.  I'm going to start working on this
some next week.




cheers, jerry




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEFLB9IR7qMdg1EfYRAkkMAKCRoMl/Od9hg5kYEKZSStms0OvSWQCgnpcl
M6dS0QwTuofKs60qPLYM3Z0=
=pYeg
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list