FIxed [was Re: Authentication through transitive trusts]
Ken Cross
kcross at nssolutions.com
Thu Aug 7 13:29:52 GMT 2003
We provide a web-based GUI to let system administrators manage ACLs. The
list of users/groups is clearly identified as to which domains they belong.
It's a convenience (but a big one).
User lists are used for other things as well. For example, they can change
the UID assigned to a domain user through the GUI to match, say, NIS UIDs.
This, too, requires a list of users.
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From: Esh, Andrew [mailto:Andrew_Esh at adaptec.com]
> Sent: Thursday, August 07, 2003 9:23 AM
> To: 'Ken Cross'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: FIxed [was Re: Authentication through transitive trusts]
>
>
> In "let them choose", who is "them"? NFS users?
>
> The windows client gets the list of users to apply for an ACL
> directly from the domain. If your system pulls in a list and
> lets them choose the users as if they are local to the Samba
> server, then it's doing a user identity translation in both
> directions that isn't needed at all. Let the client choose
> users and groups from the domain, and then they will send you
> the ACL list with the SIDs for each entry already set.
>
> If you're pulling in the list to do UID mapping between
> Windows and NFS, good luck.
>
> I suppose it would be nice if wbinfo -u took an optional
> domain name argument, to scope the output.
>
> -----Original Message-----
> From: Ken Cross [mailto:kcross at nssolutions.com]
> Sent: Thursday, August 07, 2003 6:10 AM
> To: 'Gerald (Jerry) Carter'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: FIxed [was Re: Authentication through transitive trusts]
>
>
> > >
> > > How 'bout we add a switch to wbinfo (and appropriate support in
> > > winbindd) to limit the list on -u or -g to the domain we
> > have joined,
> > > or some specific domain. Maybe --domain=<domain-name>
> > (with something
> > > like "." for the domain we joined)?
> >
> > why are you running 'wbinfo -u'? What purpose does it serve
> > other than
> > debugging? Are you piping the users to another program?
> >
>
> Yep. It's used to manage ACLs. Domain users/groups can be
> added to ACLs,
> so we present a list and let them choose.
>
> Consequently, we need to authenticate against any domain, but
> be able to
> limit the list to a reasonable size.
>
> Currently, the list from wbinfo -u is just the domain we
> joined or *all*
> domains. Some other options would be useful.
>
> Ken
> ________________________________
>
> Ken Cross
>
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com
>
More information about the samba-technical
mailing list