[Pkg-samba-maint] Bug#462045: Bug#462045: samba: automagically add initial set of domain groups

Steve Langasek vorlon at debian.org
Tue Jan 13 20:16:40 UTC 2009 

tags 462045 -wontfix
thanks

On Tue, Jan 13, 2009 at 07:13:23PM +0100, Christian Perrier wrote:
> > Currently the default Samba install assumes you wish to either be a PDC
> > or a standalone server (things could be setup so it asks you if Samba
> > shluld be a BDC or Domain member, but there are not).

> > In either case the following Windows groups need to exist:

> > 	- Domain Admins
> > 	- Domain Users
> > 	- Domain Guests

> > Each of these groups has a well-known Unix group equivalent, (ntadmins,
> > users and nogroup) respectively.

> > It would be good if:

> > 	- these Unix groups (ntadmins, users and nogroup) were added if
> > 	  they went not present.

> Well, that's contradictory. In one sentence, you mention these groups
> to be "well-known groups"....but, later, you suggest adding them if
> they don't exist.

> It is my understanding that "well-known groups" are groups that have a
> significant-enough prevalence to be added in base-passwd.... If these
> ones aren't, they're not well-known enough

The 'users' and 'nogroup' groups are both part of base-passwd, so there
would be no need to add these in the maintainer script.

Only the 'ntadmin' group is questionable.  It's given as an example group
name in smb.conf, but I don't think we can reasonably assume that it's ok to
automatically map it as 'Domain Admins' if it exists on the target system,
since a user may have created it for some *other *purpose.

> > 
> > 	- these mappings were automatically added into Samba
> > 	(net groupmap add ntgroup="Domains Admins" unixgroup="ntadmins"
> > rid=512 type=d, etc.)

> More generally speaking, I think that such tweaking belongs to the
> local administrator and providing this for all users of the samba
> package would certainly have weird side effects.

> Therefore, I don't think we should implement this. Other maintainers,
> please untag this bug if you disagree.

I disagree, so untagging.  I think it would be reasonable to set up the
Domain Users / Domain Guests mappings by default on a first install.

I may be convinced otherwise by the time we go to implement it, but at least
for the moment I think it's worth looking at.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-samba-maint mailing list