Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Luke Kenneth Casson Leighton lkcl at
Thu Dec 30 19:59:12 GMT 1999

> Most of the arguments presented seem to be getting circular.

my arguments are not circular.  if the underlying design was circular,
then my argument would be circular.  i'd fall on my arse without anyone
else having to do ti for me, and i'd give up on this issue and do
something else.

> Also this SURS table or Trusts are mainly useful for those POSIX systems
> that have ACLs built into them.  For those systems that do not have ACLs, it
> will be a hard sell.  A very hard sell.

there is no dependency between SURS tables and ACLs.  the benefits using
SURS resolution brings are fawr more than just aACLs.  and ACLs is just
_one_ implementation of unix file security, the other one is traditional
unix ugo+rwx file security, and SURS tables can be used there, too.
jeremy has alreadfy proved that this can be done: it's already in 2.0.x.

> With out ACLs, implementing a true trust relationship does not generate much
> benefit unless you simulate ACLS on behalf of the host operating system.  I

simulate NT ACLs, you mean.  and the mapping between NT ACLs and unix
file/directory permissinos does not depend on the target unix host having
ACLs (see above).

> An external tool that uses a SURS database to automagically manage a POSIX
> database may be the best way of demonstrating the real good and bad issues
> about it.

pick one.  pam_ntdom, samba, or winbind.  i'm not going to waste my time,

> In my "real world" mapping of NT groups to POSIX Users/UIDs, I only use the
> text names, and never a SID to create the USERS.  A SID only comes into play
> after authentication, and is only needed for a NT system to participate in a

you, as an admin, are presented with nice text names, because they are
easy to understand instead of numbers.

me, as an OS, needs to use SIDs and uids for security reasons.  if me, as
a OS, starts using text names, you end up with security breaches when
someone deletes a users and crecreates it with the same name.
> The tool that I am using in the scripts seems to be similar to the RPCCLIENT
> description.


> The script also handles deletion of access by disabling users.  auto-unpop.
> An unrelated sweeper tool notifies me of dead accounts, so that a proper
> cleanup can be done.

yesd, i was thinking of this, last night.  in order to catch idiot admins
that change uids on usernames, there should be a consistency sweep across
the SURS table if an auto-0pol algorithm is being used.  any EXISTING
entries that do not match up in the auto-popl algorithm should be trashed
from the table.

More information about the samba-technical mailing list