[Samba] Identically named users and groups

Gerald (Jerry) Carter jerry at samba.org
Wed Aug 9 11:52:20 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Gasch wrote:
> hi again :)
> 
>> It's a variant of the same problem but has been
>> exacerbated by the change from string comparisons
>> to token based access checks for smb.conf parameters.
>
> stupid question: so why did you change to token based 
> access check at all? what were/are samba-internal reasons
> to do this?

Consistency.  We have to use the token for so many
other access checks, it made little sense to have to
convert back and forth between uids/gids, strings, and
SIDs for handling smb.conf.

>> There's am implied order of precedence being applied
>> for unqualified names in smb.conf.
>>
>> * lookup the name as a user in passdb
>> * lookup the name as a group in passdb
>> * lookup the name as a user in "Unix User"
>> * lookup the name as a group in "Unix Group"
>>
>> First match wins.
>
> ok, but does this also apply on a member server 
> running winbindd, because you say "passdb" and i always
> thought a domain member running winbindd has no own passdb
> (http://de.samba.org/samba/docs/man/Samba3-HOWTO/images/idmap-sid2uid.png).
> or is passdb here just a "global word" for user 
> backends no matter if on a DC or a member?

Domain members can have a local SAM.  It's always been
like this.  Think about loggnig onto a Windows client.
The CTRL+ALT+DEL screen presents you with at least two
domains.  The Windows domain and the machine domain.

> consider this case:
> valid users = DOMAIN\test DOMAIN\test
> 
> DOMAIN\test is a user and a group (don´t ask why ;) )

Won't work.   Windows does not allow this.  We've
been recommending against this for a while.  Certainly
wouldn't work from the Windows object picker UI.

> members of the group DOMAIN\test woul never be able 
> to logon to this share, right?

Correct.




cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE2cx0IR7qMdg1EfYRAqWnAKDwC8B3okLWwfCVyNfM5vnNMw1SGgCeIUkf
wGvHVib7clkt9YB2Ovktz5M=
=Ytpu
-----END PGP SIGNATURE-----

More information about the samba mailing list