Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Jeremy Allison
jeremy at valinux.com
Tue Dec 28 21:35:34 GMT 1999
Luke Kenneth Casson Leighton wrote:
>
> welll.... the LsaLookupNames calls end up coming to each indivcidual samba
> server to resolve ACL components, instead of to the PDC.
>
> i'm not sur that this is a security risk, but it's certainly not a good
> idea.
Why not ? The Samba server that issued the ACL is the only possible
source of SID -> name lookup information.
> you can still grant remote users in completely foriegn domains (including
> workstations) the rights to use/view/rwxblahblah files through the
> security tab settings.
Yes. And if you do this the UNIX servers *MUST* refuse to set that
ACL and return an error as they cannot map such foreign SIDs to
uid/gids.
They can only map SIDs they have generated.
> again, with the current scheme (2.0.x), workstation SIDs are excluded from
> the mapping.
Good. It *has* to be so. These SIDs have no meaning on the Samba server.
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list