Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Luke Kenneth Casson Leighton
lkcl at samba.org
Wed Dec 29 10:50:45 GMT 1999
> Wellll, in NT you have the concept of local users: RIDs relative to
> _host_ SIDs. A Samba server in security=domain mode is a domain member
> with a host SID assigned to it. The Samba server can only create new
> SIDs that are relative to its host SID. Mapping a uid/gid to a
> domain-relative SID would require that you make damn sure that the
> mapping is semantically correct. That's what you want to see done.
remember, creating a SID (and being responsible for it) is a different
task from mapping a SID to a uid.
you can only create SIDs for you own domain (local SAM or as a PDC)
you can map SIDs to uids for any chosen scheme that makes sense on a
network, as configured by an admin.
what all the fuss is about, i am fairly certain, is that these two things
are being confused.
i really need to get to the bottom of what it is that you, jeremy, think i
am thinking. i'm clearly missing something, else you would be constantly
telling me what i already know [no remote POSIX users exist / can exist. i
even state this in the abstract - the first sentences! - on
draft-lkcl-sidtouidmap-00.txt!]
> That's what I want as well, and I bet many others would like that too,
> because maintaining this *nix-and-NT-are-totally-different attitude is
> costly from a labor point of view.
>
> Until you can guarantee that equivalency between a given *nix domain's
> users/groups and a related NT domain you have to stick with Samba's
> current approach to uid/gid->sid mapping.
easier done than said. trivially implemented. i can code it up in about
two days.
> There's no need to argue here. Keep the current system, add support for
> externally provided mapoping solutions and you're set.
i would love to. except that someone needs to convince jeremy that it#'s
possible and that it's ok to add it.
More information about the samba-technical
mailing list