Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Leslie M. Barstow III phoenix at faerealm.com
Thu Dec 30 06:53:13 GMT 1999


On Thu, 30 Dec 1999, Jeremy Allison wrote:
> Luke Kenneth Casson Leighton wrote:
> > On Tue, 28 Dec 1999, Jeremy Allison wrote:

> > > Ok, let me explain *why* I am fighting tooth and nail to
> > > keep Luke's SID mapping table out of Samba.

> > > It is simply the wrong place to put such a thing.

> > > If we step back and look at the actual problem we are
> > > trying to solve, then we see that hacking Samba with
> > > mapping tables is the wrong approach.

> > firstly, it's not a hack.  if it _can_ be defined to be a hack, it's a
> > hack that needs to sit on top of _all_ posix-compliant software that also
> > wishes to be NT-domain-compliant.  that includes absolutely anyone.  sun,
> > syntax, at & t, sco, absolutely everyone needs to implement the functional
> > equivalent of a SURS table.  the open source projects i know of that need
> > to implement the functional equivalnt of a SURS tabhle are:

> > - pam_ntdom

Shouldn't need it - PAM only authenticates a name against a [series of]
key[s]i, and returns only success or failure.  It would be *nice* if the
PAM module were able to update the SURS table, though - it gets the SID
back as part of the authentication process.

> > - winbind

Definitely.

> > - samba

I think it should use SURS - see below...

> > - pam_smb

No, See pam_ntdom above...

> The only place this needs to be done is in winbind. All
> the other functions use the *standard* POSIX getpw[nam/uid]
> get calls.

> *ONLY WINBIND* needs to be aware of SID -> uid/gid mapping.
> All others do not.

Why rely on an external interface which is not designed to
handle NT security when Samba already has 90+% of the
information it needs.  Samba gets the SID as part of the
login process; it gets group SIDs for the user in the local
domain.

If you rely on Winbind to do this for you from Samba,
you give up the SID you know is right for one you hope is
right.  All you can pass getpwnam() is a name, which can
be re-used after a previous employee leaves; I suppose
you could pass Winbind the SID as a name, but that seems
redundant.

--
Leslie M. Barstow III  | http://www.faerealm.com/phoenix
phoenix at faerealm.com   |    Linux and Apple][GS links:    computers/
PGP key at www.pgp.com |    Fight junk e-mail abuse!:     computers/spam/
Wow!  It all fits.     |



More information about the samba-technical mailing list