FW: Speed comp. TNG & 2.2.alpha (fwd)

F.W.J.Wiegerinck f.w.j.wiegerinck at student.utwente.nl
Tue Feb 27 23:10:42 GMT 2001 

 Andrew Barlett wrote:
> Peter Samuelson wrote:
> >
> > [Andrew Bartlett]
> > > Well if the case of private groups could be simply exculded (they
> > > exist only to make unix admin easier, they dont benifit NT), and
> > > system groups excluded, this problem would just 'go away' in the vast
> > > majority of installations.
> >
> > So when a file belongs to one of these excluded groups, and NT asks for
> > the security descriptor, what do you tell it -- "no group"?
> >
> > Peter
>
> I don't know the internals of NT as well as I should, but I didn't think
> that files under NT needed to be owned by both a group and a user, ie a
> file can be owned by just a user.
>
> If this is the case, then samba should just not mention the private
> group involved, and simply say the file is owned by the user.  If
> sombody is playing games, and files are owned by a different
> user/private group combination (ie not matching), then we have a problem
> - but that shouldn't occur in the natural course of things, and would
> require root permissions to setup anyway.

If we just look to the requirements for users and/or groups for the
platforms
windows and unix systems, we can determine (correct me if I am wrong)

Unix:
- each user has one or more groups
- each group has zero or more users

Windows:
- each user has zero or more groups
- each group has zero or more users

Conclusion:
* converting unix groups to windows groups will never be a problem.
   windows groups have the same restrictions as unix groups for the
   relation group to user
* converting windows groups to unix groups will never be a problem.
   unix groups have the same restrictions as windows groups for the
    relation group to user
* converting unix users to windows users will never be a problem.
   a 1 to many relation can always be inserted into a 0 to many relation
* converting windows users can be a problem.
   a 0 to many relation can't be insert automatically into a 1 to many
relation

This problem ( 0 to many converting to a 1 to many relation) can be solved
by always inserting a relation into the 0 to many relation. if "n" is the
number
of groups before converting, then it can be expressed like: n(start) = 0..m;
when
we adapt this relation by inserting 1 relation we can expresse it like:
n(adapted) = n(start) + 1 = (0..m)+1 = 1..(m+1) = 1..m
When we have adapted the relation is won't be a problem any more.

But how can we adapte the relation.There will be enough ways to do this.
Here are
2 examples:
* Each user has his own group with the same name. Problems will occure if an
other
   user will use that group to. If a group has the same name as it user it
will not
  be passed throw to the windows system.
* Each user has his "dummy" group. By example: this group could have the
name
   "nobody". This could be specified into the config-file. This groupname
will not
   be passed throw to the windows system.

Both solutions require a filter for all relations to adjust any information
to the specs.

Sorry for my poor english and the way of expression.

Frank Wiegerinck

More information about the samba-ntdom mailing list