On Thu, 2003-03-13 at 20:46, Simo Sorce wrote: > On Thu, 2003-03-13 at 01:32, Andrew Bartlett wrote: > > On Thu, 2003-03-13 at 10:38, Michael Fair wrote: > > > I haven't done much work in this are yet so please feel > > > free to correct me as you see fit, but as I understand it, > > > part of the problem we face is that the equivalents of > > > the UID and a GID in UNIX, are mapped to the same address > > > space in Windows. > > > > > > I was working on some unrelated ACL stuff and thought > > > about the potential of practically eliminating the use > > > of an ACL on a UID and only using ACLs on groups. > > > > I think this is a very good idea. We would effectivly create a 'user > > private group' for every winbindd user. And if they turned out to be a > > group, then we just populate them with members! > > This is an approach I have proposed back last summer to Jeremy and > Tridge at Jeremy's, and that would have also cured the "problem" that > all distribution that automatically create a private group for a user > have, but seem they was not convinced so I didn't pushed the idea > anymore :-) > > > This helps us particularly with the problem that we don't know the type > > of a SID without a lookup - a lookup that may well fail. > > Exactly!
I'm glad we agree! > > This would also solve a nasty problem we have that we don't know the > > 'real' primary group of every user for NT4 domains, when doing a > > getgrent(). Instead we assume 'domain users'. This would allow us to > > always know that value. > > No, that's not right, we must have a Primary Group in local passdb and > use Domain Users as a fallback. This is where I've lost what you mean... I'm talking about winbind as a domain member, but I'm open to suggestions. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part