# [Samba] Bug in Samba4? (idmap Domain Users

Matthieu Patou mat at samba.org
Tue Aug 17 09:45:15 MDT 2010

  On 17/08/2010 17:15, Trever L. Adams wrote:
>   On 08/17/2010 03:38 AM, Matthieu Patou wrote:
>>
>> By default it's decided that we map the Domain users group to the unix
>> users group, like we map the domain administrator to root.
>>
>> It can be changed on provision: --users=
>>
>> Cheers.
>> Matthieu
>>
> I was starting to think that this actually is the right way to do it.
> The only problem is in trust relationships where you have to create
> another user group that contains "Domain Users" and enable nested groups
> (assuming you are using the remote "Domain Users (or similiar)" for
> permissions.
Although I'm not 100% sure, I think that trust relationship didn't work
(yet) in samba4 or not completely.
But in any case let say that you have domain A and domain B which are
trusted each others right ?

if A\Domain users is member of B\foo bar I don't see how the mapping of
Windows groups will have an influence.

When the user A\bar member of A\Domain users is connecting to share on a
s4 server with ACLs for group B\foo bar, s4 first checks if it's ok at
the NT ACL level, then it checks if it's ok at the unix level, so it
search for the gid of group B\foo bar and see if the unix right are ok.

It should be like this because when we return the group membership we
un-nest the nested groups, but the behavior that I describe rely on the
trust relationship to work and on the trusted groups un-nesting (which I
pretty sure that we do not do for the moment).

>   Problem? Maybe in performance. (I am just getting started
> with Samba in large scale deployments, so I do not know. I have just
> seen references to the possibilities of problems.)
>
Sorry didn't get this question.

Matthieu.

--
Matthieu Patou
Samba Team        http://samba.org