Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Dec 30 05:29:05 GMT 1999
On Wed, 29 Dec 1999, Nicolas Williams wrote:
> See below.
okie. [keeps going...]
> > > if you can establish the mappings offline, so to speak (which you claim
> > > one can, via auto-population of SURS tables - agreed).
> >
> > ... ok, very cool. another potential convert to db-based SURS tables.
>
> I am. I have been from the beginning. See below.
oh! okie :)
> > 1) the SAM database in samba is actually created from the unix uid
> > /etc/passwd (or whatever) pwdb. unix uids are converted to a RID, the RID
> > is cappended to the SAM SID, you haev your SID.
> >
> > 2) when _any_ SID comes in, the same rid-uid function is used. any SIDS
> > that do not match the SAM SID at the front are REJECTED.
> >
> > the rejection bit is what i object to about this algorithm.
>
> Ay! I have been looking at Samba 2.0.5a served shares from an NT4 host
> since Tuesday, but I never tried using an NT account from a different
> domain.
>
> This is bad. We've got this braindead multiple-NT domain situation here
> with an NT domain per-continent and we've been telling ppl that they'll
> be able to use Samba servers from other continents when we upgrade to
> Samba 2.x.x.
the solution to this is a work-around. what you must do is make sure that
even when you have the concept of domains, you must ensure that all
usernames (NT-space) are flat. you _cannot_ allow this:
DOMAIN1\fred
DOMAIN2\fred
then, in the samba server's password db, you must have a combined table of
all the unique names (and you can use map username= if you like).
in this way, you guarantee that NT names will map to unix names.
problem is, it's unenforcable. you will need to control all the NT
domains.
> Where necessary we've been using the virtual server approach to make a
> Samba 1.9.18p10 server authenticate users against a PDC of one domain
> where the PDC name is dependent on the NetBIOS name that the user used
> to refer to the Samba server (i.e., "include = /some/path/using/%L").
oo dear. i don't want to think about this case, right now. you know you
can also do this:
smbpasswd fuile = /some/path/using/private/smbpasswd.%L
but please, please, let's leave this kind of thing out of the picture, for
now :-)
> Even though we have more than one NT domain there's really only one set
> of real users and the domain trust relationships reflect this.
>
> Ok, so the current algorythmic mapping will now definitely not satisfy
> the needs of the environment where I work.
>
> Ok, hurry up then. Implement the external SURS DB API. I might implement
> a module.
ok! ok!
good grief :)
More information about the samba-technical
mailing list