Tema: Re: SAMBA DOMENAS
Autorius: Vidas Makauskas
Data: 2008-05-15 17:15:02
Matyt problema turiu kita, nes panasu, kad nuo 3.0.23 versijos grupiu 
mapinimas yra nebutinas. Is tikro VIDAS prisijunge be mapinimo, kuri as 
buvau isdeletines. Cia pridedu ilga teksta:

User and Group changes
======================

The user and group internal management routines have been
rewritten to prevent overlaps of assigned Relative Identifiers
(RIDs). In the past the has been a potential problem when either
manually mapping Unix groups with the 'net groupmap' command or
when migrating a Windows domain to a Samba domain using 'net rpc
vampire'.

Unmapped users are now assigned a SID in the S-1-22-1 domain and
unmapped groups are assigned a SID in the S-1-22-2 domain.
Previously they were assign a RID within the SAM on the Samba
server. For a DC this would have been under the authority of the
domain SID where as on a member server or standalone host, this
would have been under the authority of the local SAM (hint: net
getlocalsid).

The result is that any unmapped users or groups on an upgraded
Samba domain controller may be assigned a new SID. Because the
SID rather than a name is stored in Windows security descriptors,
this can cause a user to no longer have access to a resource for
example if a file was copied from a Samba file server to a local
NTFS partition. Any files stored on the Samba server itself will
continue to be accessible because Unix stores the Unix gid and not
the SID for authorization checks.

A further example will help illustrate the change. Assume that a
group named 'developers' exists with a Unix gid of 782 but this
user does not exist in Samba's group mapping table. it would be
perfectly normal for this group to be appear in an ACL editor.
Prior to 3.0.23, the group SID might appear as
S-1-5-21-647511796-4126122067-3123570092-2565. With 3.0.23, the
group SID would be reported as S-1-22-2-782. Any security
descriptors associated with files stored on an NTFS disk partition
would not allow access based on the group permissions if the user
was not a member of the
S-1-5-21-647511796-4126122067-3123570092-2565 group. Because this
group SID not reported in a user's token is S-1-22-2-782, Windows
would fail the authorization check even though both SIDs in some
respect referred to the same Unix group.

The current workaround is to create a manual domain group mapping
entry for the group 'developers' to point at the
S-1-5-21-647511796-4126122067-3123570092-2565 SID.
+Nereali problema su Solaris 10Andrius2008-05-05 23:02
+IrFanView alternatyva?Artūras Šlajus2008-05-05 15:53
-SAMBA DOMENASVidas Makauskas2008-04-30 12:44
Re: SAMBA DOMENASVidas Makauskas2008-05-07 11:57
Re: SAMBA DOMENASejs2008-05-07 15:58
Re: SAMBA DOMENASVidas Makauskas2008-05-08 08:10
Re: SAMBA DOMENASejs2008-05-08 13:39
Re: SAMBA DOMENASVidas Makauskas2008-05-10 11:58
Re: SAMBA DOMENASVidas Makauskas2008-05-13 14:47
Re: SAMBA DOMENASNerijus2008-05-14 07:47
Re: SAMBA DOMENASVidas Makauskas2008-05-16 08:05
Re: SAMBA DOMENASNerijus2008-05-16 17:39
Re: SAMBA DOMENASVidas Makauskas2008-05-17 12:49
Re: SAMBA DOMENASNerijus2008-05-19 09:36
Re: SAMBA DOMENASNerijus2008-05-19 09:43
Re: SAMBA DOMENASNerijus2008-05-19 14:42
Re: SAMBA DOMENASNerijus2008-05-19 15:44
Re: SAMBA DOMENASVidas Makauskas2008-05-21 11:45
Re: SAMBA DOMENASVidas Makauskas2008-05-21 11:56
Re: SAMBA DOMENASejs2008-05-21 11:59
Re: SAMBA DOMENASVidas Makauskas2008-05-21 13:42
Re: SAMBA DOMENASejs2008-05-21 13:59
Re: SAMBA DOMENASVidas Makauskas2008-05-15 16:47
Re: SAMBA DOMENASVidas Makauskas2008-05-15 17:15
Re: SAMBA DOMENASejs2008-05-13 18:38
Re: SAMBA DOMENASNerijus2008-05-12 09:42
Re: SAMBA DOMENASejs2008-05-10 12:50
Re: SAMBA DOMENASVidas Makauskas2008-05-10 14:18
Re: SAMBA DOMENASNerijus2008-05-08 07:56
Re: SAMBA DOMENASejs2008-05-08 13:40
Re: SAMBA DOMENASejs2008-04-30 13:09
Re: SAMBA DOMENASVidas Makauskas2008-04-30 14:46
Re: SAMBA DOMENASejs2008-04-30 21:11
Re: SAMBA DOMENASVidas Makauskas2008-04-30 14:18
Re: SAMBA DOMENASejs2008-04-30 21:13
+RAID5 Big problem sunkus klausimasauris2008-04-29 21:23
+Bonding'as + Vlan'aiPukuotukas2008-04-28 17:15
+PortaiMantas2008-04-25 15:39
Easy Money!!skarfas2008-04-24 15:06
+Autoresponderis Postfix'uiMeff2008-04-24 14:53
+ar yra unerase toolsas ext3 ?aa2008-04-22 17:41
+wtf?W2008-04-22 16:37
+Kaip apsiginti nuo sito slamstoLevas2008-04-21 21:12
+universali OSShkem2008-04-20 05:06
+kvailokas klausimasvaikis-paikis2008-04-17 22:57
+Kaip perkelti GRUB'a i kita diskaVidas Makauskas2008-04-17 09:29
Nokia IP40El Savior2008-04-16 17:04
+squid windows updateMantas2008-04-16 16:18
+txt2pdfwidzew2008-04-16 08:45
php skriptu vydkymo uzdraudimasledasl2008-04-16 00:01
+Q: del instaliavimoSanches2008-04-15 15:21
HELP: COM portmindaugas2008-04-13 21:48
+laikasSaulius G.2008-04-12 19:33
+openvpnMantas2008-04-10 23:27
+skaitymas is serial portoCodeC2008-04-09 21:55
+DHCP politikaRolkiz2008-04-08 12:40
Sendmail masquerading-=: EiMiS :=-2008-04-08 10:23
+klausimas su virtualboxNerijus Skar2008-04-08 09:23
+Klausimassergeii2008-04-04 15:43
+Freebsd 7.0+ mod_security2Antanas Atlaikytas2008-04-03 13:32
+Backup scriptaiAur2008-04-02 20:05
+Proliant nc360t pci express dual port tinklo ploksteauksiniz2008-03-31 13:47
+Mac OS ant VMWareMaug Lee2008-03-31 11:17
+Router passwordPluss2008-03-29 17:38
+priskirto savininko (owner) keitimastOMZY2008-03-29 16:06
+/dev/ttySx dazniaiTomas D.2008-03-28 03:19
+Q: backup'inis soft'as linuxeDex2008-03-27 11:38
+Del linuxosergeii2008-03-26 15:41
+mem usagetest2008-03-24 09:25
+pluginsas windaitest2008-03-24 07:52
+Linuxxr2008-03-22 20:04
+backup'ainews.omnitel.net2008-03-19 19:21
+spamassasino klausimasLevas2008-03-19 18:49
+routing - fw - etc...@rycius2008-03-19 16:40
+ar "rankinis" package instaliavimas nepanaikina updeitu is repozitoriumuaa2008-03-19 14:57
+nevaldomas server load didejimasAWeX2008-03-18 17:34