[XAD] Re: Security Identifier (SID) to User Identifier (uid) ResolutionSystem

[Luke Kenneth Casson Leighton]

On Wed, 29 Dec 1999, Nicolas Williams wrote:

> On Wed, Dec 29, 1999 at 12:24:49PM +1100, Luke Howard wrote:
> > 
> > I had always thought an algorithmic mapping between NT and UNIX
> > identifiers was the Way To Go from an administrative perspective
> > until I spoke to people who managed existing deployments, where
> > uids and SIDs had already been allocated. At least with a single
> > directory, you can put the identifiers in the same place.
> > 
> > That said, I still believe an algorithmic mapping is a good
> > idea for deployments that want it (for example, deployments with
> > a minimal UNIX infrastructure, or a minimal NT one). The mapping
> > logic could be in a number of places: in SAMBA, in an NSS module
> > for UNIX, or in the directory server itself.
> 
> Yes, yes. Though you can't currently put the mapping logic into an NSS
> module as there is no standard get*by*() API that involves SIDs (you can
> make reference to SIDs internally, but you can't have those functions
> take a SID as an argument or return SID information).

jeremy got me thinking about this a little more.  i'll ahve something
sufficient to express in words in the next few hours/days.
 
> The directory is a good place to put either or both express mappings and
> logical mappings. This is why Samba could use a little API so others can
> provide it with modules to make these lookups via a directory.
> 
> Still, the uid/gid->local SID mapping Samba fileservers implement now is
> not bad. There is no urgency to implement such an API. Though I bet Luke
> would rush to it if given the go ahead :)

not really.  i am still very concerned that jeremy doesn't get it.  if he
doesn't get it, then there's no pooint in my proceeeding with an
implemtation.  1) i could be wrong 2) it wouldn't go into samba if andrew
and jeremy don't get it.