Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at valinux.com
Wed Dec 29 22:15:48 GMT 1999


Nicolas Williams wrote:
> 
> On Wed, Dec 29, 1999 at 01:59:42PM -0800, Jeremy Allison wrote:
> > Nicolas Williams wrote:
> >
> > > Kerberos has no uid/sid like concept. Kerberos only has names
> > > (principals) and domains (realms).
> >
> > *Precisely*. Kerberos and DCE use a name based mapping, not
> > a number based one.
> 
> So you think filesystems should use strings instead of integers to
> represent users and groups in file ACLs? Uids, gids, sids, they're all
> optimisations.

No, I didn't mean filesystems. I was talking about mapping
names into security contexts. NT SIDs are one way of doing that,
Kerberos/DCE is another (although they're converging in Win2k :-).

> I'm confused. Samba is the fileserver, Samba has to convert uids/gids to
> SIDs to emulate NT ACLs to SMB clients. So Samba needs to be able to
> convert uids/gids to SIDs at least. The reverse is not necessary unless
> you want to support clients adding/removing users/groups from Unix
> files' ACLs (where Unix supports ACLs).

Yes, ok. I wasn't clear here. Samba does have to do this, but I'm
trying to avoid implementing a very complex mapping function to 
to this, and leave it very simple.

> Now, I agree that if the only thing Samba needs to do is convert
> uids/gids to SIDs then using the fileserver's host SID as the base SID
> and algorythmically converting uids/gids to RIDs of that SID works
> fine.

Hurrah, we agree :-).

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------


More information about the samba-technical mailing list