[Samba] unix group membership -- broken in 3.0.23c?
Dmitry Karasik
dmitry at karasik.eu.org
Fri Nov 17 13:37:07 GMT 2006
> Question: Would you want to rewrite the section for "invalid
> users"? The developers on this list here will certainly help
> with questions you have and proof-read your suggestions :-)
I have questions before I do that:
- IIUC, the + qualifier without explicit group looks in Winbind groups,
then in /etc/passwd, then in /etc/groups. Apparently, this effectively
fails all logins if a user with the same name as the requested group is
found. Question: is this behaviour intentional?
- The & qualifier searches in NIS groups, + searches in Winbind and Unix groups,
@ is the same as &+. It looks to me as if you're trying to discourage this
@&+ syntax, and using explicit group name instead. Question: how does explicit
group naming supports multiple group look up options? Because if I'm correct, there
is a strong asymmetry:
& - NIS only
+"Unix Group\" - unix groups only
??????? - winbind only
+ - winbind and unix groups
??????? - NIS and winbind
??????? - NIS and unix groups
@,&+,+& - All three
I'm not sure if the unknown combinations make any sense, but would it be at
least more logical, to either add more special qualifiers, f.ex, + is still
unix users/groups strictly, and * is winbind, @ same as &*+ . Or, if it is
indeed so that you're dissatisfied with @&+, clean up the explicit group syntax,
so it doesn't contradict the @&+ notation ( by contradiction I mean that in
order to specify a group one has to prefix one of @&+, and then again specify
the group name). In this case you probably need only @ to say 'this is group,
not user', and possibly extend the group syntax to "Unix Group|NIS|Windbind\myuser".
--
Sincerely,
Dmitry Karasik
More information about the samba
mailing list