[PR PATCH] idmap_rid: default group always set to "Domain Users"
metze at samba.org
Fri Apr 20 05:09:45 UTC 2018
Am 19.04.2018 um 19:24 schrieb Samuel Cabrero via samba-technical:
> On Fri, 2018-04-13 at 16:59 +0200, Volker Lendecke via samba-technical
>> On Thu, Apr 12, 2018 at 09:47:55PM +0300, Uri Simchoni via samba-
>> technical wrote:
>>> The thing I'm less certain about is the "somehow". I'd guess an RPC
>>> the DC would do it correctly irrespective of the winbindd backend,
>>> but I
>>> could be missing something here. In the original code we had a
>>> _wbint_QueryUser to deal with that on a per-backend basis, and it
>>> removed in the series of commits that ended in
>>> 319d60285c92bbf86bc0a3f872f9c9f9d0530129. I'm not sure we really
>>> this per-backend behavior though - all AD DC's support RPC, and the
>>> backend already does lots of RPC, it's far from pure ldap (and
>>> rightly so).
>> wbint_QueryUser would have to use samr. This can at best (if at all)
>> with the domain we're member of. And even that is something we need
>> get rid of. Without a samlogon cache entry there is just no reliable
>> way to get that done. The only way out is (I believe) a s4u2self
>> client, something which is in the works somewhere.
> what do you think about this patch? It calls SAMR QueryUserInfo only if
> there is no samlogon cache entry and if the call succeed extracts the
> primary group SID, the account name and the full name. Then let the
> idmap backend override it (GetNssInfo call, only idmap_ad will do).
I think we should work towards removing all cm_connect_sam() calls
instead of readding them.
I think we should better don't return any information at all if we
don't have the correct information.
We need to use S4U2Self in order to get this fixed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical