Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Luke Kenneth Casson Leighton lkcl at samba.org
Thu Dec 30 05:29:05 GMT 1999


On Wed, 29 Dec 1999, Nicolas Williams wrote:

> See below.

okie.  [keeps going...]
 
> > > if you can establish the mappings offline, so to speak (which you claim
> > > one can, via auto-population of SURS tables - agreed).
> > 
> > ... ok, very cool.  another potential convert to db-based SURS tables.
> 
> I am. I have been from the beginning. See below.

oh!  okie :)
 
> > 1) the SAM database in samba is actually created from the unix uid
> > /etc/passwd (or whatever) pwdb.  unix uids are converted to a RID, the RID
> > is cappended to the SAM SID, you haev your SID.
> > 
> > 2) when _any_ SID comes in, the same rid-uid function is used.  any SIDS
> > that do not match the SAM SID at the front are REJECTED.
> > 
> > the rejection bit is what i object to about this algorithm.
> 
> Ay! I have been looking at Samba 2.0.5a served shares from an NT4 host
> since Tuesday, but I never tried using an NT account from a different
> domain.
> 
> This is bad. We've got this braindead multiple-NT domain situation here
> with an NT domain per-continent and we've been telling ppl that they'll
> be able to use Samba servers from other continents when we upgrade to
> Samba 2.x.x.

the solution to this is a work-around.  what you must do is make sure that
even when you have the concept of domains, you must ensure that all
usernames (NT-space) are flat.  you _cannot_ allow this:

DOMAIN1\fred
DOMAIN2\fred

then, in the samba server's password db, you must have a combined table of
all the unique names (and you can use map username= if you like).
in this way, you guarantee that NT names will map to unix names.

problem is, it's unenforcable.  you will need to control all the NT
domains.

> Where necessary we've been using the virtual server approach to make a
> Samba 1.9.18p10 server authenticate users against a PDC of one domain
> where the PDC name is dependent on the NetBIOS name that the user used
> to refer to the Samba server (i.e., "include = /some/path/using/%L").

oo dear.  i don't want to think about this case, right now.  you know you
can also do this:

smbpasswd fuile = /some/path/using/private/smbpasswd.%L

but please, please, let's leave this kind of thing out of the picture, for
now :-)

 
> Even though we have more than one NT domain there's really only one set
> of real users and the domain trust relationships reflect this.
> 
> Ok, so the current algorythmic mapping will now definitely not satisfy
> the needs of the environment where I work.
> 
> Ok, hurry up then. Implement the external SURS DB API. I might implement
> a module.

ok! ok!

good grief :)



More information about the samba-technical mailing list