[Freeipa-devel] [PATCH] 75-78 Add fallback group
Simo Sorce
simo at redhat.com
Fri Oct 5 13:45:58 UTC 2012
On Fri, 2012-10-05 at 16:27 +0300, Alexander Bokovoy wrote:
> On Tue, 02 Oct 2012, Simo Sorce wrote:
> >On Tue, 2012-10-02 at 21:29 +0200, Sumit Bose wrote:
> >> Hi,
> >>
> >> this patch should fix https://fedorahosted.org/freeipa/ticket/2955 by
> >> adding a fallback group as described in comment 2 of the ticket in
> >> ipa-adtrust-install.
> >>
> >> If you prefer to use a different kind of group I can change the patch
> >> accordingly.
> Patch works for me, so ACK except the group name.
>
> >Yes I think we should use a more natural group name. In my recent
> >testing I have been using the name 'Trust Users' that pairs well with
> >another group we create called 'Trust Admins'. But I am open to
> >suggestions on a better name, 'Domain Users' may be better if we really
> >want to associate the wellknown SID to this group.
> I'm fine with 'Trust Users'.
>
> >On the SID side I wonder if using the wellknown 'Domain Users' SID is
> >the right thing to do. I do not see any special reasons why it shouldn't
> >but I also do not have any special reason why we should.
> >Anyone can think of any pros/cons of doing that ?
> Since it only has special meaning within the same domain and we are not
> using it for anything, it should be fine.
Well it has a special meaning for samba servers ... we may have a few in
the IPA domain.
I think using that SID is fine but I think then the name 'Trust Users'
could be confusing to users looking at permissions.
We also need to make the group a posix group btw, because samba uses the
Primary Group SID for users and if it can't be resolved to uid/gids it
will probably prevent authentication.
What about calling it 'Default SMB Group' or similar ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list