[Samba] smbldap.c
Gerald (Jerry) Carter
jerry at samba.org
Tue Sep 16 21:02:04 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rauno Tuul wrote:
|
| -----Original Message-----
| From: Antoine Jacoutot [mailto:ajacoutot at lphp.org]
|
| On Tuesday 16 September 2003 21:34, Rauno Tuul wrote:
|
|>IMHO groupmapping doesnt fill that hole, because whatever groupmap entry
|>doesn't give admin rights on LDAP.
You're thinking about this from the wrong perspective.
The 'domain admin group' from 3.0 was a limited way to
handle group mapping. Instead of being a smb.conf parameter,
the domain admin group is now a mapping between the domain
admins SID and a unix gid. The check will be pretty much
the same. We'll just make the domain admin sid against
the current user's NT_TOKEN.
|>So, you think that's ok to remove that piece of code, right ?
|
| removing isn't the best solution, for security reasons. then can
anyone turn
| the LDAP to a mess...
Removing it is a really bad idea since anyone could then
view user passwords if they tried hard enough.
| Honestly said, the parameter "domain admin group" should come back.
| Some say it isn't necessary.
No. I can fix this just using the group mapping
entry for "Domain Admins". We'll fix it post 3.0.0.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/Z3pLIR7qMdg1EfYRAjbbAKC/RRXQKupbNbnVPUDmtzQ0xIVCcwCgpR99
MvPnNqsO4f2yA6jm954p6uI=
=++F/
-----END PGP SIGNATURE-----
More information about the samba
mailing list