git.samba.org - obnox/samba-ctdb.git/commit

author	Volker Lendecke <vl@samba.org>
	Sun, 14 Dec 2008 23:16:56 +0000 (00:16 +0100)
committer	Volker Lendecke <vl@samba.org>
	Tue, 9 Aug 2011 14:58:49 +0000 (16:58 +0200)
commit	4425e9ab6aa5ae43dd8971b8ab7439df3190f465
tree	865e7ead90089d9465d2626dbb24cf0d142f0a83	tree
parent	388b022526d11a369c4a9b93fccf05c44db824ec	commit \| diff

v3-6-ctdb: s3: Add the "net groupfilter" command

This is the start of a bad hack for even worse systems: Many Unix systems still
have the NGROUPS problem: A user can not be member of more than a very limited
number of groups. Solaris for example limits this to 16 by default. Many
Windows environments have a *LOT* more groups per user, some even go to
hundreds. Whether that is efficient is debatable, but it's there.

This patch implements the

"net groupfilter"

command with the "addsid", "delsid" and "list" subcommands. If any SIDs are
present according to "net groupfilter list" (they are stored in secrets.tdb),
then only the SIDs in that list are converted to GIDs for a user at login time.

This gives the Administrator the possibility to define a set of groups that are
used on the Unix box, making sure that no user is in more than NGROUPS of those
at a time.

This patch is incomplete in the sense that winbind is not aware of this, only
smbd. So it is kind of an emergency hack for smbd-only machines.

Volker

Signed-off-by: Michael Adam <obnox@samba.org>

source3/auth/auth_util.c		diff \| blob \| history
source3/include/proto.h		diff \| blob \| history
source3/include/secrets.h		diff \| blob \| history
source3/lib/util_sid.c		diff \| blob \| history
source3/passdb/secrets.c		diff \| blob \| history
source3/utils/net.c		diff \| blob \| history