Gerald (Jerry) Carter
jerry at samba.org
Tue Sep 16 21:02:04 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Rauno Tuul wrote:
| -----Original Message-----
| From: Antoine Jacoutot [mailto:ajacoutot at lphp.org]
| On Tuesday 16 September 2003 21:34, Rauno Tuul wrote:
|>IMHO groupmapping doesnt fill that hole, because whatever groupmap entry
|>doesn't give admin rights on LDAP.
You're thinking about this from the wrong perspective.
The 'domain admin group' from 3.0 was a limited way to
handle group mapping. Instead of being a smb.conf parameter,
the domain admin group is now a mapping between the domain
admins SID and a unix gid. The check will be pretty much
the same. We'll just make the domain admin sid against
the current user's NT_TOKEN.
|>So, you think that's ok to remove that piece of code, right ?
| removing isn't the best solution, for security reasons. then can
| the LDAP to a mess...
Removing it is a really bad idea since anyone could then
view user passwords if they tried hard enough.
| Honestly said, the parameter "domain admin group" should come back.
| Some say it isn't necessary.
No. I can fix this just using the group mapping
entry for "Domain Admins". We'll fix it post 3.0.0.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba