Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Todd Sabin
tastas at home.com
Thu Dec 30 20:44:31 GMT 1999
Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> On 30 Dec 1999, Todd Sabin wrote:
>
> > Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> >
> > > > > Ok, so the current algorythmic mapping will now definitely not satisfy
> > > > > the needs of the environment where I work.
> > > >
> > > > I don't see why not. Whenever these users access files on
> > > > a Samba server they're doing it as a uid the Samba server
> > > > knows about, so what is the problem ? Yes if they look at
> > > > the ACLs on a file they will see users local to the Samba
> > > > server as entries, but that's exactly what the ACLs on the
> > > > Samba server represent.
> > >
> > > and what happens when you select a samba server in show-users from an NT
> > > workstation?
> > >
> > > yes, this is possible.
> > >
> >
> > Only if the samba server is the DC (or trusted DC) of the machine
> > whose file you're manipulating. Those are the only machines you can
> > show users from. Which is as it should be, because those are the only
> > accounts that the machine can authenticate. The GUI is smart enough
> > to limit your choices to those that actually make sense.
>
> are you sure? and what a bout cacls.exe?
Yes, I'm sure (about the GUI); it's been true for years. I don't know
about cacls. Nothing stops you from putting bogus SIDs in ACLs at the
API level, so it's possible that cacls might let you do it. If it
does, though, those ACEs would be total deadweight, as noone could
authenticate as one of those accounts.
Todd
More information about the samba-technical
mailing list