Samba subcontract

[Richard Sharpe]

On Mon, Apr 15, 2013 at 3:25 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Wed, Apr 10, 2013 at 10:20:11AM +0300, Dzmitry Liadziayeu wrote:
>> Hello, everybody!
>>
>> To whom it may concern,
>> We need an expert is samba permissions area. Our business
>> objective is:
>> At the time of user(s) group membership modification
>> immediately apply new (modified according to group
>> membership change) permissions set in existing session(s)
>> without breaking existing connection(s).
>> More details will be provided upon request for the person
>> interested.
>
> Just in case you found someone: It would be nice if you kept
> this list posted with the patches that come out of this
> effort. There are some valid concerns about whether and how
> this is solvable, so it might turn out to be worthwhile for
> you as well to have this discussed with a broader audience.

So, quite apart from the fact that a Samba member server would not
know that group membership has changed, and that you would have to get
Samba to change, for each affected currently logged on session, the
set of SIDs that are appropriate (deleting some and adding some in the
general case), this is not how Windows works, I believe.

A better approach might be to implement he new dynamic (claims-based
SIDs) in Samba.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)