Security Identifier (SID) to User Identifier (uid) ResolutionSystem

[Nicolas Williams]

Luke/Jeremy,

The algorythmic mapping of uids/gids<->sids in Samba works fine as it
is, except that when looking at ACLs on on Unix files via Samba the
usernames and groupnames are shown as <Samba hostname>/<user/group name>
on Windows systems. This is annoying if you happen to have standards in
place which guarantee that any given uid or gid represent the same
user/group on a group of *nix hosts.

Two possible improvements over this are:

 - allow administrators to specify a different SID to use as the base
   for uid/gid<->sid conversions, such as a domain SID whose domain name
   might indicate to users that the SID represents an entity in a domain
   of *nix systems (the domain's PDC would have to be a Samba server OR
   the mapping algorythm would have to match NT's POSIX subsystem's)

   (Would there have to be trusts between a domain with an NT PDC and a
    domain with a Samba PDC for NT clients to be able to resolve SIDs
    from the Samba domain to human readable names? I would guess the
    answer is "no"; the clients would probably find the Samba DCs using
    NetBIOS and ask them to do the SID->name lookups.)

 - implement SURS

To help in transitioning to SURS it would be nice if Samba would
fallback to the algorythmic mapping when there are no valid SURS
mappings.

Here's some details of the configurationa dn the interface to SURS as I
imagine them:

 - a share-wise parameter "guid2sid mapping" whose value is of the form:

   [path to SURS shared lib] [default]

   If a path is given that should be the path to a library to dlopen().

   If the "default" is specified then the algorythmic mapping should be
   used when the SURS mappings fail or if no SURS library path was
   given.

   Examples:
   
    guid2sid mapping = /usr/local/lib/samba/surs-nis.so default
    guid2sid mapping = /usr/local/lib/samba/surs-nis.so
    guid2sid mapping = default

 - a share-wise parameter "guid2sid base sid" whose value is either a
   SID, or a NetBIOS host/domain name

 - a share-wise parameter "guid2sid mapping args" whose value is a
   string to be passed to the init function of the SURS library.

The SURS library would present Samba with an API consisting of the
following functions:

surs_handle *	surs_init(char * arg, sid_t base_sid);
surs_handle *	surs_destroy(surs_handle * handle);
int 		surs_uid2sid(surs_handle* handle, uid_t uid, sid_t * sid);
int 		surs_gid2sid(surs_handle* handle, gid_t gid, sid_t * sid);
int 		surs_sid2gid(surs_handle* handle, sid_t sid, gid_t * gid);
int 		surs_sid2uid(surs_handle* handle, sid_t sid, uid_t * uid);

The int return value of the mapping functions is to be used to indicate
success or failure and the reason for the failure.

The third argument of each mapping function call is a return value.

The surs_init() function should probably also have an SMB share
connection structure as an argument.

Thoughts?

Nico
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.