[Samba] Bug in Samba4? (idmap Domain Users

Trever L. Adams trever.adams at gmail.com
Tue Aug 17 16:34:37 MDT 2010

 On 08/17/2010 09:45 AM, Matthieu Patou wrote:
> Although I'm not 100% sure, I think that trust relationship didn't
> work (yet) in samba4 or not completely.
> But in any case let say that you have domain A and domain B which are
> trusted each others right ?
My understanding is that it doesn't work yet as well. I am just thinking
> if A\Domain users is member of B\foo bar I don't see how the mapping
> of Windows groups will have an influence.

A scenario of SomeFile with permissions for SomeGroup below:

SomeFile group: Some Group rwx

SomeGroup: usera, userb, userc, OtherDomain\Domain Users

As I understand it OtherDomain\Domain Users will be checked against the
range allowed from OtherDomain. Since 100 (local users) is out of the
range, Domain Users will not be allowed. Am I wrong? If not, then that
is where the idea of OtherDomain\All Users: OtherDomain\DomanUsers comes
in, to remap the group so that it can be used.
> It should be like this because when we return the group membership we
> un-nest the nested groups, but the behavior that I describe rely on
> the trust relationship to work and on the trusted groups un-nesting
> (which I pretty sure that we do not do for the moment).
So in other words, if unnesting happens, then the trick I just described
will fail completely?
>>   Problem? Maybe in performance. (I am just getting started
>> with Samba in large scale deployments, so I do not know. I have just
>> seen references to the possibilities of problems.)
> Sorry didn't get this question.
> Matthieu.
I am reading in some places that the reason that nested groups are off
by default is that they can bog things down. Is this accurate?

Thank you again,
"What we Are is God's gift to us. What we Become is our gift to God." --

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100817/7deadb1f/attachment.pgp>

More information about the samba-technical mailing list