Gerald (Jerry) Carter
2006-Jul-20 16:35 UTC
[Samba] Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Volker, Assume I have a member server named LINUX joined to a domain name AD. Now assume I have a local user named foo in my passdb and a user named foo in the domain as well. I'm modifying winbindd_util.c:parse_domain_user() to do a lookup_name() to try to figure out which domain to prepend to the username rather than just assuming its a domain user. But this means that we'll always choose the local user (due to the order of an isolated search in lookup_name()). The main problem is the use default domain abomination will confuse local and domain users of the same name and possibly return incorrect group membership. I am about a 1/2 inch from marking the smb.conf option as deprecated and adding similar option to pam_winbind.conf. This option just cannot work reliably. Do you have any suggestions? cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv7C/IR7qMdg1EfYRAte3AJ9bR2BcglUsI4l47KSz0zH9FUX5YwCgk36H 50pVU6+8aK4QvmEeNAwBruw=DfC7 -----END PGP SIGNATURE-----
simo
2006-Jul-20 16:59 UTC
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Volker, > > Assume I have a member server named LINUX joined to a > domain name AD. Now assume I have a local user named foo > in my passdb and a user named foo in the domain as well. > I'm modifying winbindd_util.c:parse_domain_user() to do > a lookup_name() to try to figure out which domain to prepend > to the username rather than just assuming its a domain user. > But this means that we'll always choose the local user > (due to the order of an isolated search in lookup_name()). > > The main problem is the use default domain abomination > will confuse local and domain users of the same name and > possibly return incorrect group membership. > > I am about a 1/2 inch from marking the smb.conf option > as deprecated and adding similar option to pam_winbind.conf. > This option just cannot work reliably. > > Do you have any suggestions?I would just document that local users will always take precendence. Winbind use default domain is too valuable to be removed imho. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Volker Lendecke
2006-Jul-20 18:41 UTC
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
On Thu, Jul 20, 2006 at 11:35:11AM -0500, Gerald (Jerry) Carter wrote:> Assume I have a member server named LINUX joined to a > domain name AD. Now assume I have a local user named foo > in my passdb and a user named foo in the domain as well. > I'm modifying winbindd_util.c:parse_domain_user() to do > a lookup_name() to try to figure out which domain to prepend > to the username rather than just assuming its a domain user. > But this means that we'll always choose the local user > (due to the order of an isolated search in lookup_name()).What about in the case of winbind use default domain doing a qualified lookup_name() first and if that fails do the unqualified one? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20060720/300e7f63/attachment.bin