Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at valinux.com
Tue Dec 28 20:41:58 GMT 1999


Luke Kenneth Casson Leighton wrote:
> 
> well... not really.  it's very brain-damaged.
> 
> 1) it excludes S-1-5-32 so you can't map any BUILTIN groups such as
> Administrators and "Account Operators" etc.

When you are a fileserver (which 2.0.x is) then you don't need
to map those groups. For a PDC I agree you need more.

> 2) multiple samba servers as members of the same domain need
> same-user-name-same-smbpasswd locally on each server, and they _still_
> produce different SIDs for the same damn username, which i am sure is a
> security risk, i just can't think it through clearly, it's that brain-dead
> and complicated an issue.

They create different SIDs because they are *DIFFERENT USERS*. Think
about this (some more :-).

If this is a security hole then NT security is *completely*
broken (hint. It's not :-).

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------


More information about the samba-technical mailing list