-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Gasch wrote: > hi again :) > >> It's a variant of the same problem but has been >> exacerbated by the change from string comparisons >> to token based access checks for smb.conf parameters. > > stupid question: so why did you change to token based > access check at all? what were/are samba-internal reasons > to do this?
Consistency. We have to use the token for so many other access checks, it made little sense to have to convert back and forth between uids/gids, strings, and SIDs for handling smb.conf. >> There's am implied order of precedence being applied >> for unqualified names in smb.conf. >> >> * lookup the name as a user in passdb >> * lookup the name as a group in passdb >> * lookup the name as a user in "Unix User" >> * lookup the name as a group in "Unix Group" >> >> First match wins. > > ok, but does this also apply on a member server > running winbindd, because you say "passdb" and i always > thought a domain member running winbindd has no own passdb > (http://de.samba.org/samba/docs/man/Samba3-HOWTO/images/idmap-sid2uid.png). > or is passdb here just a "global word" for user > backends no matter if on a DC or a member? Domain members can have a local SAM. It's always been like this. Think about loggnig onto a Windows client. The CTRL+ALT+DEL screen presents you with at least two domains. The Windows domain and the machine domain. > consider this case: > valid users = DOMAIN\test DOMAIN\test > > DOMAIN\test is a user and a group (donĀ“t ask why ;) ) Won't work. Windows does not allow this. We've been recommending against this for a while. Certainly wouldn't work from the Windows object picker UI. > members of the group DOMAIN\test woul never be able > to logon to this share, right? Correct. cheers, jerry ===================================================================== Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2cx0IR7qMdg1EfYRAqWnAKDwC8B3okLWwfCVyNfM5vnNMw1SGgCeIUkf wGvHVib7clkt9YB2Ovktz5M= =Ytpu -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
