git.samba.org - obnox/samba-ctdb.git/commit

author	Volker Lendecke <vl@samba.org>
	Sun, 14 Dec 2008 23:16:56 +0000 (00:16 +0100)
committer	Michael Adam <obnox@samba.org>
	Thu, 13 Oct 2011 15:24:38 +0000 (17:24 +0200)
commit	8451ba780e29ff2f120b7627b1620b57cb07d409
tree	a01a096e539034e720096b9968c55629feb2da1b	tree
parent	fc02a38a8603c3625294c723dbeab01358be1f81	commit \| diff

v3-6-ctdb: s3: Add the "net groupfilter" command

This is the start of a bad hack for even worse systems: Many Unix systems still
have the NGROUPS problem: A user can not be member of more than a very limited
number of groups. Solaris for example limits this to 16 by default. Many
Windows environments have a *LOT* more groups per user, some even go to
hundreds. Whether that is efficient is debatable, but it's there.

This patch implements the

"net groupfilter"

command with the "addsid", "delsid" and "list" subcommands. If any SIDs are
present according to "net groupfilter list" (they are stored in secrets.tdb),
then only the SIDs in that list are converted to GIDs for a user at login time.

This gives the Administrator the possibility to define a set of groups that are
used on the Unix box, making sure that no user is in more than NGROUPS of those
at a time.

This patch is incomplete in the sense that winbind is not aware of this, only
smbd. So it is kind of an emergency hack for smbd-only machines.

Volker

Signed-off-by: Michael Adam <obnox@samba.org>

source3/auth/auth_util.c		diff \| blob \| history
source3/include/proto.h		diff \| blob \| history
source3/include/secrets.h		diff \| blob \| history
source3/lib/util_sid.c		diff \| blob \| history
source3/passdb/secrets.c		diff \| blob \| history
source3/utils/net.c		diff \| blob \| history