Security Identifier (SID) to User Identifier (uid) ResolutionSystem

[Luke Kenneth Casson Leighton]

On Thu, 30 Dec 1999, Jeremy Allison wrote:

> Nicolas Williams wrote:
> 
> > Kerberos has no uid/sid like concept. Kerberos only has names
> > (principals) and domains (realms).
> 
> *Precisely*. Kerberos and DCE use a name based mapping, not
> a number based one.

except of course, microsoft's FUCKED up implementation of kerberos, in
whcih they decided it was OK to add user-profile information because their
DAMN APIs (behind LsaLogonUserEx, ultimately), require user profile info
to be retruned AS WELL as an "user authenticated successfully" response.

why couldn't they just stick to their oown messed-up proprietary APIs,
anmd extend those to obtain user prfile info, dammin!!!
 
> > Let's just say that the main benefit of SIDs is that they provide some
> > hierarchy where uids provide none.
> 
> Yes, but remember we are working on POSIX systems. They
> have no hieratrchy of users. Yes that sucks but it isn't
> a job for Samba to fix.

in your opinion.

actually, i agre.  it's not samba's job to fix it.  however, if there
exists a means _to_ fix it, then we are shirking our responsibility to
samba users if we don't use it.

> > The idea is to make Samba use that API and for some external agent to
> > provide it.
> 
> I don't really want Samba to use that API. I'd rather
> Samba only know about uid/gids and have the uglyness in
> the mapping done in one place only.

amke a choice, jeremy.

do you want samba to be fully nt-domain interoperable, or not?