[Samba] RE: Q: winbindd, unqualfied users,
& name conflicts (a.k.a "Deathto 'winbind use default domain'!")
Dave Daugherty
dave.daugherty at centrify.com
Thu Jul 20 18:38:07 GMT 2006
My opinion:
Local users should always take precedence.
People should specifically refer to local users as
<SambaHostName>\localuser, if that is the form the SMB client insists on
sending.
Tacking on default domains and/or stripping domains to/from user names
and "trying them out" is playing fast and loose with user identity and
is a breeding ground for potential security holes.
Dave Daugherty
-----Original Message-----
From:
samba-technical-bounces+dave.daugherty=centrify.com at lists.samba.org
[mailto:samba-technical-bounces+dave.daugherty=centrify.com at lists.samba.
org] On Behalf Of simo
Sent: Thursday, July 20, 2006 9:59 AM
To: Gerald (Jerry) Carter
Cc: Volker Lendecke; samba at samba.org; samba-technical at samba.org
Subject: Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a
"Deathto 'winbind use default domain'!")
On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Volker,
>
> Assume I have a member server named LINUX joined to a
> domain name AD. Now assume I have a local user named foo
> in my passdb and a user named foo in the domain as well.
> I'm modifying winbindd_util.c:parse_domain_user() to do
> a lookup_name() to try to figure out which domain to prepend
> to the username rather than just assuming its a domain user.
> But this means that we'll always choose the local user
> (due to the order of an isolated search in lookup_name()).
>
> The main problem is the use default domain abomination
> will confuse local and domain users of the same name and
> possibly return incorrect group membership.
>
> I am about a 1/2 inch from marking the smb.conf option
> as deprecated and adding similar option to pam_winbind.conf.
> This option just cannot work reliably.
>
> Do you have any suggestions?
I would just document that local users will always take precendence.
Winbind use default domain is too valuable to be removed imho.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba
mailing list