Luke Kenneth Casson Leighton lkcl at
Fri Dec 11 22:58:20 GMT 1998

> > I've not been following this thread extremely closely, but I will say
> > right now that I do NOT want to add Unix accounts for NT machines.  Icky
> > poo.
> Unfortunately that's the way it works - we hashed this
> out several months ago on this very list.
> The problem is that NT machine accounts and user accounts
> are allocated out of the same RID space. The only way
> of preventing potential clashes between UNIX user accounts
> mapped to NT rids and NT machine RID accounts is to do the
> same and ensure that the NT machine accounts are blocked
> out in the UNIX uid space (ie. allocate UNIX accounts for
> them).
> Icky maybe, but at least it's safe.

due to a potential security risk (trusted domain mapped to a unix user,
unix admin goes on holiday, remote domain account gets deleted and
re-added with a different nt password, but because it maps to the same
remote domain account username, access is granted to the unix box) we may
have to replace the mathematical uid<->user_rid and gid<->group_rid
mappings with a lookup table.

alternatively, for the ultimately paranoid, we allow "SID-RID" or
"DOMAIN_NAME\0000RID" as a format for entries in the domain map files,
this would be a good thing to do anyway and we could stick with the
horrible mathematical mapping system.

More information about the samba-technical mailing list