[Samba] unix group membership -- broken in 3.0.23c?

Dmitry Karasik dmitry at karasik.eu.org
Fri Nov 17 13:37:07 GMT 2006

> Question: Would you want to rewrite the section for "invalid
> users"? The developers on this list here will certainly help
> with questions you have and proof-read your suggestions :-)

I have questions before I do that:

- IIUC, the + qualifier without explicit group looks in Winbind groups,
then in /etc/passwd, then in /etc/groups. Apparently, this effectively
fails all logins if a user with the same name as the requested group is
found. Question: is this behaviour intentional? 

- The & qualifier searches in NIS groups, + searches in Winbind and Unix groups,
@ is the same as &+. It looks to me as if you're trying to discourage this
@&+ syntax, and using explicit group name instead. Question: how does explicit
group naming supports multiple group look up options? Because if I'm correct, there
is a strong asymmetry:

   &                - NIS only
   +"Unix Group\"   - unix groups only
   ???????          - winbind only
   +                - winbind and unix groups
   ???????          - NIS and winbind
   ???????          - NIS and unix groups
   @,&+,+&          - All three

I'm not sure if the unknown combinations make any sense, but would it be at
least more logical, to either add more special qualifiers, f.ex, + is still
unix users/groups strictly, and * is winbind, @ same as &*+ . Or, if it is
indeed so that you're dissatisfied with @&+, clean up the explicit group syntax,
so it doesn't contradict the @&+ notation ( by contradiction I mean that in
order to specify a group one has to prefix one of @&+, and then again specify
the group name). In this case you probably need only @ to say 'this is group,
not user', and possibly extend the group syntax to "Unix Group|NIS|Windbind\myuser".

	Dmitry Karasik

More information about the samba mailing list