v3-6-ctdb: s3: Add the "net groupfilter" command
This is the start of a bad hack for even worse systems: Many Unix systems still
have the NGROUPS problem: A user can not be member of more than a very limited
number of groups. Solaris for example limits this to 16 by default. Many
Windows environments have a *LOT* more groups per user, some even go to
hundreds. Whether that is efficient is debatable, but it's there.
This patch implements the
"net groupfilter"
command with the "addsid", "delsid" and "list" subcommands. If any SIDs are
present according to "net groupfilter list" (they are stored in secrets.tdb),
then only the SIDs in that list are converted to GIDs for a user at login time.
This gives the Administrator the possibility to define a set of groups that are
used on the Unix box, making sure that no user is in more than NGROUPS of those
at a time.
This patch is incomplete in the sense that winbind is not aware of this, only
smbd. So it is kind of an emergency hack for smbd-only machines.
Volker
Signed-off-by: Michael Adam <obnox@samba.org>