On Wed, Aug 09, 2006 at 09:05:26AM +0200, Michael Gasch wrote: > stupid question: so why did you change to token based access check at > all? what were/are samba-internal reasons to do this?
Lots :-) We had all sorts of access check variants all over the code, all working slightly differently. So none of the developers could immediately say which kind of access check is being done in what line of the code. For security related stuff this is a very bad thing, so we had to clean that up big way. And as in many places we have to deal with the user's token anyway and for example in the domain member case this is the *only* reliable authorization data available, doing all access checks based on the token is the logical way to go. > ok, but does this also apply on a member server running winbindd, > because you say "passdb" and i always thought a domain member running > winbindd has no own passdb It does not have to, but it certainly can. Likewise with every Windows box, you can certainly have users, local and global groups on a Windows domain member. > consider this case: > valid users = DOMAIN\test DOMAIN\test > > DOMAIN\test is a user and a group (donĀ“t ask why ;) ) > members of the group DOMAIN\test would never be able to logon to this > share, right? There's no way in Windows that I know to have DOMAIN\test to be a user and a group at the same time. How did you get Windows to do that? Volker
pgpwMGgD80YZd.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba