[SCM] Samba Shared Repository - branch master updated - 4432967532897cc90ce7d7b11fab6f6f88f8bfc0

Michael Adam ma at sernet.de
Wed Sep 24 09:25:08 GMT 2008


Hi Jerry, Jeremy,

Gerald (Jerry) Carter wrote:
> Gerald (Jerry) Carter wrote:
> > Jeremy Allison wrote:
> >> Michael, should these be back-ported to something
> >> other than master (3.3 ?).

Yeah, I guess that once they are thoroughly tested,
they should go into v3-3-test.
But I have only touched the ads and rpc backend so far.
Have to look into the passdb backend. (Are there more to
consider?)

> > I think these changes are actually wrong.  I remember making
> > a change to ensure that names were qualified coming back from this.
> > I *hate* that crappy parameter.

I *!?x\.% hate it, too. I also made a very quick vote of disabling
it or turning it into a placebo parameter on #samba-technical.
There was only one vote, +1, by me. ... :-)

Then Volker threw in his usual (and valid) argument that we should
not break existing setups, though.

Well, when we have the parameter, we should also honour it!

> btw...Don't worry about the checkin.  I'll do some regression testing.
> I might be over reacting :-)

btw: you should see the several commits as a whole.

Let me describe, what problems I tried to solve with the patches:

1. With "winbind use default domain = yes", and "security = ads",
   when listing a domain group, we got s/th like

   # getent group groupname
   group:x:100000:DOMAIN\user1,DOMAIN\user2

   where DOMAIN is the default domain. This is what 49145bfefa
   is supposed to fix. (together with 1b9c2ccb1f1b that
   introduces a talloc version of fill_domain_username() which
   adds the domain prefix depending on the domain and the value
   of "lp_winbind_use_default_domain()".)

   This is bug #5748.

2. The output of "getent group" for aliases containing domain
   groups was inconsistent between rpc and ads backend, since
   the ads backend always added the domain prefix and the rpc
   backend never did. That lead to output like this, when
   BUILTIN\\administrators has ads group DOMAIN\groupname as member.

   # gegent group BUILTIN\\administrators
   BUILTIN\\administrators:x:100001:DOMAIN\domain\user1,DOMAIN\domain\user2
  
   This is fixed by
   (a) making rpc backend lookup_groupmem add domain prefix
       conditionally with fill_domain_username_talloc() as with ads.
       (1f8a7739a)

   (b) change add_expanded_sid() in winbindd_group.c to not add the domain
       prefix when adding users from a group looked up with lookup_groupmem.

Cheers - Michael

-- 
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080924/37e6c9c3/attachment.bin


More information about the samba-technical mailing list