On Wed, May 10, 2006 at 02:28:25PM -0400, Trimble, Ronald D wrote: > I know you and I have been over this in the past, but I have a > few questions based on this thread. If winbind does correctly list the > groups, why does it not correctly tell you that the user is indeed a > member of that group?
Those two are different operations, and AD is able to put different ACLs on these operations. It's like listing a directory and reading a file in that directory. The fact that you can list /etc does not automatically mean that you can also see the contents of /etc/shadow. > Are you saying that if you were an admin in all domains it > would work? It is extremely messy to find all group memberships of a user, given global groups with nesting, domain local groups, universal groups, local groups and builtin groups. It would be a nightmare to code this up reliably in a trusted environment. Given that winbind has admin privileges in all domains then it would in theory be possible, but coding that up and testing it in a relevant set of scenarios would at least require a month of work (my rough guess, others might be faster at this). > What if the server was not merely a member > server? Would it work then? It would have to be a domain controller in all domains, which is as strong as being admin in all domains. Even more complicated to code up, this even goes beyond what Samba4 tries to achieve. > I am not trying to be a pain, I am just looking for solutions to > a problem that lots of other Windows admins like myself see as a huge > issue. Remove Windows from your network. That is the only real solution. I apologize for begin a bit harsh, but I've spent quite a bit of time trying to explain that what you are asking for is not possible in the world Windows presents to us. Asking over and over again does not make the situation any better. Volker
pgpyk0oFkxPL2.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
