Gerald (Jerry) Carter
jerry at samba.org
Sun Mar 12 23:36:30 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Volker Lendecke wrote:
>> I don't really have a current need for BUILTIN\Users so we
>> can drop that one. I was just thinking of a general framework
>> for the BUILTIN principals. But the method described could
>> apply to BUILTIN\Users as well.
> True. But for for the 'restrict anonymous' stuff s-1-5-11
> seems more appropriate for me. But I'm fine with some
> defaults for BUILTIN\Users.
ok. Let's deal with Administrators first and add BUILTIN\Users
only if there is a need.
>>> If BUILTIN\Administrators is explicitly mapped, then give
>>> the admin full control. Irrespective of 'winbind nested
>>> groups = yes/no' do not look at Domain Administrators or
>>> geteuid()==0 but strictly follow who's in the group.
>> I'm not sure I follow that first sentence. For access checks
> I meant that the human administrator of the box should have
> full control over who is member of S-1-5-32-544, I don't
> want any magic memberships :-)
ok. That sounds fair. I'm going to start working on this
some next week.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical