Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Thu Dec 30 20:46:29 GMT 1999

On Thu, Dec 30, 1999 at 01:40:49PM -0700, Leslie M. Barstow III wrote:
> On Thu, 30 Dec 1999, Nicolas Williams wrote:
> > Leslie M. Barstow III (phoenix at faerealm.com) wrote:
> 
> > Luke insists that the current behaviour is bad. IT IS NOT. It's just
> > looks bad because when one tries to look at and manipulate ACLs on Unix
> > files on SMB clients via Samba fileservers one will see user/group names
> > that are qualified as being local to the Samba server REGARDLESS of any
> > REAL EQUIVALENCY there might actually be between the NT user and it's
> > Unix persona.
> 
> Actually, I think Jeremy over-simplified when he stated there were no
> problems with multiple domains (on which you based this conclusion).  For
> your situation, he is right - there is no problem with current
> name-mapping.  However, you and I are both thinking about corporate
> mergers.  I've already seen name conflicts between domains, and neither
> half of the new company wants to change, but they want added access.  The
> SIDs work together, but Samba only uses the name, and that doesn't.

Well, yes, but then you'd also have Unix username conflicts, most
likely... :(

Anyways, I think SURS can be an appropriate tool to deal with mergers,
sometimes, if the circumstances are right.

[...]
> > A getXXXbyYYY() interface is needed that does not hide SIDs.
> 
> We could put the SID in the GECOS field...

Yuk!

> > Actually, a generic interface to user credentials (POSIX, NT, whatever)
> > is needed. This might then generate interest in kernels supporting more
> > than one type of credential for processes and, eventually, for files.
> 
> > After all, the use of cred structs in many *nix kernels was done to make
> > credentials more opaque to various areas of kernel code. Let's further
> > this trend.
> 
> This is beyond my time abilities.  If someone wants to champion this, I
> would welcome it.  The Linux community would either think (a) this is a
> good hack, or (b) it will slow down the system substantially (arbitrary
> credentials being looked up almost constantly will not be quick...)

I'm not a member of the Linux community.

[...]
> PS - how do you folks get through all of these messages?  I could have
>      a full-time job just on conversations :-}

Y2K freeze. You won't hear from me much after today... The project
deluge begins in a few days.

> --
> Leslie M. Barstow III  | http://www.faerealm.com/phoenix
> phoenix at faerealm.com   |    Linux and Apple][GS links:    computers/
> PGP key at www.pgp.com |    Fight junk e-mail abuse!:     computers/spam/
> Wow!  It all fits.     |

Nico
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.