[Samba] smbldap.c

Rauno Tuul rauno.tuul at haigekassa.ee
Wed Sep 17 05:18:15 GMT 2003


> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org]

> |>IMHO groupmapping doesnt fill that hole, because whatever
> groupmap entry
> |>doesn't give admin rights on LDAP.
>
> You're thinking about this from the wrong perspective.
> The 'domain admin group' from 3.0 was a limited way to
> handle group mapping.  Instead of being a smb.conf parameter,
> the domain admin group is now a mapping between the domain
> admins SID and a unix gid.  The check will be pretty much
> the same.  We'll just make the domain admin sid against
> the current user's NT_TOKEN.
>
> | Honestly said, the parameter "domain admin group" should come back.
> | Some say it isn't necessary.
>
> No.  I can fix this just using the group mapping
> entry for "Domain Admins".  We'll fix it post 3.0.0.

This LDAP access check for group mapping entry for "Domain Admins" is a good
idea and I'm glad to hear, that solution is coming. After some time, but
hopefully it comes...

rgds,

 - Rauno Tuul -



More information about the samba mailing list