Mixed profiles w/Samba-PDC
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed May 27 16:30:27 GMT 1998
> > >
> > > The 1 is the posix offset, rid=uid+1000 for normal users
> >
> > ah: the 1000 should actually be 0x10000...
>
> Are you sure?
no :-) i _think_ it doesn't matter as long as the mapping a) exists b) is
monotonic.
> The POSIX subsystem is creating a UNIX-like id (32 bit number)
> from the NT RID. What I think Samba PDC is trying to do is the reverse;
> creating a RID from a UNIX id.
>
> If you want Samba to look like an NT system, then the user RID's
> you generate should start at 1000 since 1000 is the first RID
> created for user's via UserManager.
... which is what i randomly chose to do. however, no proper mapping
currently exists for group rids.
> How POSIX subsystem creates UNIX-like from an NT SID:
> It takes the RID (it strips off the DomainSid part)
> and then adds a special offset value depending on the type of DomainSid.
> For instance:
> special well-known ids have the 0x10000 offset (Everyone = 0x10100)
> built-in domain ids have the 0x20000 offset (Administrators = 0x20220)
> (Guests = 0x20222)
> local machine ids have the 0x30000 offset (Administrator = 0x301F4)
> (Guest = 0x301F5)
> (User1 = 0x303E8)
> primary domain ids have the 0x100000 offset (Domain1\User1 = 0x1003E8)
> 1st trusted domain uses the 0x200000 offset (Domain2\User1 = 0x2003E8)
> 2nd trusted domain uses the 0x300000 offset (Domain2\User1 = 0x3003E8)
what about group rids?
> So, if the Sambe PDC is to work with the POSIX subsystem(s)
> (the MS POSIX subsytem is *not* the only commercial POSIX subsystem
> implementation)
> it has to ensure that RID's do not get any larger than 0x100000.
ok, assuming that we meet this requirement, regardless: it is slowly
dawning on me that we may not need to use the posix sub-system uid<->rid
mapping system in samba: it would appear to be a completely separate
issue.
in fact, applying it may only confuse people because they may think that
they can do this:
unix uid (on samba) --no-mapping-> posix uid (on nt workstation)
whereas what they should do is this:
unix uid (on samba) --uid-to-user-rid-> nt user rid (on nt workstation
--opennt-rid-to-posix-> posix uid (on nt workstation).
does this make any sense, mark?
More information about the samba-ntdom
mailing list