New Unix user and group domain

[Volker Lendecke]

On Sat, Feb 25, 2006 at 11:49:49AM -0600, Gerald (Jerry) Carter wrote:
> The scenario I was thinking of was a Samba member server
> in a Samba domain sharing a uid/gid name (no \unixinfo

This is the 'trusted domains only = yes'?

> pipe yet).  When we create the token for the user from
> the NET_USER_INFO_3.  Don't we need those SIDs ?

Right, here we probably need those. We used to have the
algorithmic fallback ones in place here. As the S-1-22 SIDs
are completely new, adding them as auxiliary groups in the
INFO3 does not hurt anybody out there.

> Now granted that domain groups are broken in this
> scenario without the \unixinfo pipe support since the
> sid_to_gid() will fail.  So are we any worse off now?

No, it should not fail. 'trusted domains only = yes' goes
via the name.

> Probably not as long as the unmapped groups continue
> to work as they do in 3.0.21.  Make sense?

That's the point: They don't. Under option (c) (we just
don't care) they would not show up in the samba member's
token.

> OK. That's fine.  an we just say then that local groups
> require 'winbind nested groups = yes' ?

Yes. As we discussed a while ago, this should be the new
default I think.

The notable exception here should be the
BUILTIN\Administrators with some to be discussed defaults.
This does not count as a local group in the strictest sense,
this should become our default way of asking "Am I root?".

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060226/31f94685/attachment.bin