Mixed profiles w/Samba-PDC

Luke Kenneth Casson Leighton lkcl at switchboard.net
Wed May 27 16:30:27 GMT 1998 

> > > 
> > > The 1 is the posix offset, rid=uid+1000 for normal users
> > 
> > ah: the 1000 should actually be 0x10000...
> 
> Are you sure?

no :-)  i _think_ it doesn't matter as long as the mapping a) exists b) is
monotonic.


> The POSIX subsystem is creating a UNIX-like id (32 bit number) 
> from the NT RID.  What I think Samba PDC is trying to do is the reverse;
> creating a RID from a UNIX id.
> 
> If you want Samba to look like an NT system, then the user RID's 
> you generate should start at 1000 since 1000 is the first RID 
> created for user's via UserManager.

... which is what i randomly chose to do.  however, no proper mapping
currently exists for group rids.

> How POSIX subsystem creates UNIX-like from an NT SID:
>  It takes the RID (it strips off the DomainSid part)
>  and then adds a special offset value depending on the type of DomainSid.
>  For instance:
>    special well-known ids have the 0x10000 offset (Everyone = 0x10100)
>    built-in domain ids have the 0x20000 offset  (Administrators = 0x20220)
>    					        (Guests         = 0x20222)
>    local machine ids have the 0x30000 offset (Administrator = 0x301F4)
>    				 	     (Guest         = 0x301F5)
> 					     (User1         = 0x303E8)
>    primary domain ids have the 0x100000 offset   (Domain1\User1 = 0x1003E8)
>    1st trusted domain uses the 0x200000 offset   (Domain2\User1 = 0x2003E8)
>    2nd trusted domain uses the 0x300000 offset   (Domain2\User1 = 0x3003E8)

what about group rids?

> So, if the Sambe PDC is to work with the POSIX subsystem(s)
> (the MS POSIX subsytem is *not* the only commercial POSIX subsystem 
>  implementation)
> it has to ensure that RID's do not get any larger than 0x100000.

ok, assuming that we meet this requirement, regardless: it is slowly
dawning on me that we may not need to use the posix sub-system uid<->rid
mapping system in samba: it would appear to be a completely separate
issue.

in fact, applying it may only confuse people because they may think that
they can do this:

unix uid (on samba) --no-mapping-> posix uid (on nt workstation)

whereas what they should do is this:

unix uid (on samba) --uid-to-user-rid-> nt user rid (on nt workstation
--opennt-rid-to-posix-> posix uid (on nt workstation).

does this make any sense, mark?

More information about the samba-ntdom mailing list