Security Identifier (SID) to User Identifier (uid) ResolutionSystem

[Todd Sabin]

Luke Kenneth Casson Leighton <lkcl at samba.org> writes:

> > > Ok, so the current algorythmic mapping will now definitely not satisfy
> > > the needs of the environment where I work.
> > 
> > I don't see why not. Whenever these users access files on
> > a Samba server they're doing it as a uid the Samba server
> > knows about, so what is the problem ? Yes if they look at
> > the ACLs on a file they will see users local to the Samba
> > server as entries, but that's exactly what the ACLs on the
> > Samba server represent.
> 
> and what happens when you select a samba server in show-users from an NT
> workstation?
> 
> yes, this is possible.
> 

Only if the samba server is the DC (or trusted DC) of the machine
whose file you're manipulating.  Those are the only machines you can
show users from.  Which is as it should be, because those are the only
accounts that the machine can authenticate.  The GUI is smart enough
to limit your choices to those that actually make sense.

> select a local file on an NT wksta.  selcet sile security tab.  go to show
> users.  selct a remote samba server.  try granting a remote samba server's
> users permissions to access a file on the local NT wksta.
> 
> or better, make that a group.
> 
> then, selcet _aohter_ remote samba server, and do the same thing.
> 
> even better, do this for two remote samba servers that are in the same NT
> domain, both of which are configured with "security = domain" and
> "password server = some_third_party_ntpdc".
> 
> this results in such a messed up usage of stupidly created SIDs that i
> don't want to think or talk about it.  it's so stupid i can't believe you
> are still justifying restricting individual unix servers to one nt domain.

As mentioned above, this doesn't work in the way you're describing.


Todd