[PATCH] Expanding nested groups in winbindd_getgrnam()
Gerald (Jerry) Carter
jerry at samba.org
Wed Jun 13 17:33:16 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Peach wrote:
> On Jun 12, 2007, at 10:22 PM, Gerald (Jerry) Carter wrote:
>>
>> Here's a rough patch for expanding domain group membership
>> in the winbindd_getgrnam() call.
>
> What's the use case for this? What does it solve
> that "winbind nested groups"?
The names are confusing but "windows nested groups"
implements the NT4 model of local groups (e.g.
BUILTIN\Administrators). The "winbind expand groups"
patch unrolls nested domain groups.
For example, suppose the dodmain global group
DOM\outergroup has 2 members: user1 and innergroup.
DOM\innergroup is another domain global group with
one member: user2.
Before this patch, "getent group DOM\outergroup" would
return:
DOM\outergroup:x:10000:DOM\user1
If you set 'winbind expand groups = 2' (to unroll
up to 2 levels of nesting), you will get
DOM\outergroup:x:10000:DOM\user1,DOM\user2
This is useful for Unix applications that need check
if a user is a member of a group using NSS.
Come to think of it, I'll probably have to do some more
work to get domain group unrolling to work with machine
local groups.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGcCd3IR7qMdg1EfYRAiNCAKCK5z0hURBb2uplW3lOWeVDHq9EEwCeKFf+
4BKBIdIABaWibAMWmWC+Sm0=
=rVxa
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list