[Samba] Bug in Samba4? (idmap Domain Users

Trever L. Adams trever.adams at gmail.com
Tue Aug 17 16:34:37 MDT 2010


 On 08/17/2010 09:45 AM, Matthieu Patou wrote:
> Although I'm not 100% sure, I think that trust relationship didn't
> work (yet) in samba4 or not completely.
> But in any case let say that you have domain A and domain B which are
> trusted each others right ?
>
My understanding is that it doesn't work yet as well. I am just thinking
forward.
> if A\Domain users is member of B\foo bar I don't see how the mapping
> of Windows groups will have an influence.

A scenario of SomeFile with permissions for SomeGroup below:

SomeFile group: Some Group rwx

SomeGroup: usera, userb, userc, OtherDomain\Domain Users

As I understand it OtherDomain\Domain Users will be checked against the
range allowed from OtherDomain. Since 100 (local users) is out of the
range, Domain Users will not be allowed. Am I wrong? If not, then that
is where the idea of OtherDomain\All Users: OtherDomain\DomanUsers comes
in, to remap the group so that it can be used.
>
> It should be like this because when we return the group membership we
> un-nest the nested groups, but the behavior that I describe rely on
> the trust relationship to work and on the trusted groups un-nesting
> (which I pretty sure that we do not do for the moment).
So in other words, if unnesting happens, then the trick I just described
will fail completely?
>
>>   Problem? Maybe in performance. (I am just getting started
>> with Samba in large scale deployments, so I do not know. I have just
>> seen references to the possibilities of problems.)
>>
> Sorry didn't get this question.
>
>
> Matthieu.
>
I am reading in some places that the reason that nested groups are off
by default is that they can bog things down. Is this accurate?

Thank you again,
Trever
-- 
"What we Are is God's gift to us. What we Become is our gift to God." --
Unknown

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100817/7deadb1f/attachment.pgp>


More information about the samba-technical mailing list