Samba 2.0.6 and PDC mode

[Luke Kenneth Casson Leighton]

On Fri, 11 Feb 2000, Thien Vu wrote:

> > > Is this the case?  This suggests that SP5 cannot be used with Samba
> 2.0.x
> > > in PDC mode.
> >
> > well, you cna't properly use 2.0.x as a pdc _Anyway_, but aside from that,
> > yes you can use SP5 --- just that if you're paranoid about security, the
> > solutions are a damn nuisance.
> 
> I was wondering what the issue with SP5 and Samba 2.0.x as a PDC. You
> probably have noticed several of my last posts deal with the inability to
> modify the HKEY_CURRENT_USER hive. Were my guesses correct about Samba not
> handling the user SIDs or is it way off base?

you're more than likely absolutely correct.
 
> According to Zhi-Wei Lu, this inability to write to that registry hive is on
> the 2.0.6 and the HEAD branches. Does the TNG branch fix this problem?

i really don't know.  unlikely.

none of the samba branches handles SID to uid translation correctly, due
to the use of a mathematical algorithm that excludes anything but SIDs
relative to the SAMBA server's SID.  regardless of whether it is a PDC,
BDC or a Domain member.

the solution is to farm-off the responsibility for SID to uid / SID to gid
and vice-versa translation to an nssswitch-like system that i've named
"surs - sid to uid resolution".

the default behaviour will bethe limited, default behaviour of 2.0.x
(unless someone can convince jeremy that it's necessary to provide a
better solution, and it's not difficult to come up with a better one).
that will be the default sursswitch module.

other surs systems, capable of dealing with the BUILTIN domain, trusted
domain, LDAP databases that have user and group entries with both SID
_and_ uid/gid pairs in them, will then be able to be plugged in at your
discretion.

see discussions about SURS tables in archives, over new year, for [far too
many] details.  see http://cb1.com/~lkcl/cifs/draft-sidtouidmap-01.html
for a discussion of the issues, problems and solutions.

luke