[Samba] Samba4 Winbind - is it really not possible to be sensible?
mat at samba.org
Sat Jan 26 15:16:49 MST 2013
On 01/26/2013 12:49 PM, Rob McCorkell wrote:
> Thanks for the explanation - I wasn't thinking too much about multiple
> domains, and I guess it would be an issue. A potential solution would
> be to have offsets for each domain, specified in smb.conf? If I didn't
> have too much on my plate already I would have a look at the mapping
> code and attempt to write a solution myself.
Well I don't like the idea of having to set something in the smb.conf
because it doesn't match with the idea of configure once and then forget it.
More importantly it will be very hard to make it work in our automated
testsuite and not covering this part with tests is a recipe for a disaster.
> The 'solution' with the UID discrepancy between nslcd and Samba was to
> feed back the nslcd UID back into Samba, then tell Samba to use those
> UIDs instead. Oh, and while I am here I might as well bring a
> particular bug to your attention - when Samba is set to use rfc2307,
> but no uidNumber attribute exists for an object, the UID number gets
> allocated. But once a uidNumber attribute is set, and the allocation
> has already taken place, the allocated UID is used instead. I can't
> imagine that this is the desired behaviour with rfc2307.
No that's not a bug but a secure approach (ihmo), because if samba needs
to allocate that's either for checking access for a read or because the
user is writing a file, if the user is writing a file it's very very
wrong to change its UID/GID because it means that the UID/GID in the
ACLs won't be correct and user might not be able to access/modify/delete
More information about the samba