Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Jeremy Allison
jeremy at valinux.com
Wed Dec 29 21:43:21 GMT 1999
Nicolas Williams wrote:
> The API I proposed is not an NSS API because there is no standard
> get*by*() Unix API that deals with SIDs. We had a long thread on the XAD
> list about how it would be nice if *nix kernels (and libc's) had a more
> generic credential interface. These topics are related :)
I agree the UNIX kernels need a more generic credential interface.
I'm not convinced that SIDs or copying NT is the right answer though.
That's where we differ. I want to look at the problem in isolation
from NT and try to solve it *right* rather than copying another
design (which has its own problems).
> The traditional Unix uid/gid system is inferior to the NT SID system.
I agree. I just am not convinced that adding SIDs to POSIX is the
right thing to do. The approach used by Kerberos or DCE may be better.
> How about something like this:
>
> #define POSIX_USER_CRED 1
> #define POSIX_GROUP_CRED 2
> struct posix_cred {
> int type;
> union guid {
> uid_t uid;
> gid_t gid;
> }
> }
>
> int surs_sid2guid(surs_handle * handle, sid_t sid, posix_cred * pcred);
>
> The int result of the surs_sid2guid() function would be used to indicate
> success/failure+reason.
This looks fine for winbind. I just don't want it in Samba.
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list