[Samba] User's groups issue
Gerald (Jerry) Carter
jerry at samba.org
Tue Aug 26 18:41:31 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ephi Dror wrote:
> Hello again,
>
> I looked at the code and found out that really the
> only way to have accurate group membership info is
> if one of the following functions are called:
>
> In winbindd_pam.c:
>
> 1. winbindd_dual_pam_auth()
> 2. winbindd_dual_pam_auth_crap()
>
> I would recommend to think about ways to call
> netsamlogon_clear_cached_user() in other places to allow
> none authentication pam functions such as "id" to work well.
The samlogon reply or PAC information is the only completely
accurate view of the user group membership. Querying AD
is not always guaranteed to work. So the samlogon cache
takes precendence. As to an experiation time on the cache
entry, we have never agreed on how this to do this without
potentially deleting information during a valid user session
since applications are not required to call pm_close_session().
Also, the concept of an SMBsession become more difficult to
track in this case.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFItE5bIR7qMdg1EfYRAg6GAKDXUAsBV8qC/qN5DDc/63mObAdEygCg3D27
dFyS9vaRyK4nhTSI1peEJ8M=
=yg0/
-----END PGP SIGNATURE-----
More information about the samba
mailing list