[Samba] Identically named users and groups

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Aug 9 07:14:43 GMT 2006


On Wed, Aug 09, 2006 at 09:05:26AM +0200, Michael Gasch wrote:
> stupid question: so why did you change to token based access check at 
> all? what were/are samba-internal reasons to do this?

Lots :-)

We had all sorts of access check variants all over the code,
all working slightly differently. So none of the developers
could immediately say which kind of access check is being
done in what line of the code. For security related stuff
this is a very bad thing, so we had to clean that up big
way. And as in many places we have to deal with the user's
token anyway and for example in the domain member case this
is the *only* reliable authorization data available, doing
all access checks based on the token is the logical way to
go.

> ok, but does this also apply on a member server running winbindd, 
> because you say "passdb" and i always thought a domain member running 
> winbindd has no own passdb 

It does not have to, but it certainly can. Likewise with
every Windows box, you can certainly have users, local and
global groups on a Windows domain member.

> consider this case:
> valid users = DOMAIN\test DOMAIN\test
> 
> DOMAIN\test is a user and a group (don´t ask why ;) )
> members of the group DOMAIN\test would never be able to logon to this 
> share, right?

There's no way in Windows that I know to have DOMAIN\test to
be a user and a group at the same time. How did you get
Windows to do that?

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20060809/a83b3ac9/attachment.bin


More information about the samba mailing list