Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Dec 30 05:49:09 GMT 1999
On Wed, 29 Dec 1999, Jeremy Allison wrote:
> Luke Kenneth Casson Leighton wrote:
> >
> > On Tue, 28 Dec 1999, Jeremy Allison wrote:
> >
> > > Ok, let me explain *why* I am fighting tooth and nail to
> > > keep Luke's SID mapping table out of Samba.
> > >
> > > It is simply the wrong place to put such a thing.
> > >
> > > If we step back and look at the actual problem we are
> > > trying to solve, then we see that hacking Samba with
> > > mapping tables is the wrong approach.
> >
> > firstly, it's not a hack. if it _can_ be defined to be a hack, it's a
> > hack that needs to sit on top of _all_ posix-compliant software that also
> > wishes to be NT-domain-compliant. that includes absolutely anyone. sun,
> > syntax, at & t, sco, absolutely everyone needs to implement the functional
> > equivalent of a SURS table. the open source projects i know of that need
> > to implement the functional equivalnt of a SURS tabhle are:
> >
> > - pam_ntdom
> >
> > - winbind
> >
> > - samba
> >
> > - pam_smb
>
> This is incorrect.
>
> The only place this needs to be done is in winbind. All
> the other functions use the *standard* POSIX getpw[nam/uid]
> get calls.
> *ONLY WINBIND* needs to be aware of SID -> uid/gid mapping.
> All others do not.
i take it that you really don't mean this. i mean, if it is, then it
explains why we're having such difficulty communicating, here.
because if this is really what you think, then it means that you are now
imposing a limitation whereby only those uids that winbind can provide [as
"real" sids, so to speak] are allowed to be "real" unix users.
that's one possible architecture, but i don't think that anyone's going to
buy it.
what about trusted domain users? what about the BUILTIN domain? what
about remote workstations?
More information about the samba-technical
mailing list