[Samba] smbldap.c

Gerald (Jerry) Carter jerry at samba.org
Tue Sep 16 21:02:04 GMT 2003

Hash: SHA1

Rauno Tuul wrote:
| -----Original Message-----
| From: Antoine Jacoutot [mailto:ajacoutot at lphp.org]
| On Tuesday 16 September 2003 21:34, Rauno Tuul wrote:
|>IMHO groupmapping doesnt fill that hole, because whatever groupmap entry
|>doesn't give admin rights on LDAP.

You're thinking about this from the wrong perspective.
The 'domain admin group' from 3.0 was a limited way to
handle group mapping.  Instead of being a smb.conf parameter,
the domain admin group is now a mapping between the domain
admins SID and a unix gid.  The check will be pretty much
the same.  We'll just make the domain admin sid against
the current user's NT_TOKEN.

|>So, you think that's ok to remove that piece of code, right ?
| removing isn't the best solution, for security reasons. then can
anyone turn
| the LDAP to a mess...

Removing it is a really bad idea since anyone could then
view user passwords if they tried hard enough.

| Honestly said, the parameter "domain admin group" should come back.
| Some say it isn't necessary.

No.  I can fix this just using the group mapping
entry for "Domain Admins".  We'll fix it post 3.0.0.

cheers, jerry
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list