Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Michael Stockman pgmtekn-micke at algonet.se
Thu Dec 30 22:00:27 GMT 1999


Hello,

> Luke Kenneth Casson Leighton wrote:
> >
> > On Thu, 30 Dec 1999, Jeremy Allison wrote:
> >
> > > Michael Stockman wrote:
> > > >
> > > > As far as I can see the algorithmic solution is good for all
users
> > > > samba accepts that belong to samba's SAM (implemted in
smbpasswd,
> > > > LDAP, NIS or whatever). However it seems to me that this is
not the
> > > > case when samba is supposed to accept users belonging to a
remote SAM.
> > >
> > > What *exactly* do you mean by "accept". This is the crux of the
> > > discussion. Currently Samba "accepts" logons by name. Samba only
> > > accepts SIDs in ACL set requests. It currently doesn't accepts a
> > > non-local SID  in an ACL set request, and I don't think it
should.

An accepted user is a user that samba is prepared to perform a service
to. Normally this would be an authenticated user, but guests are ok.
Rejected users are not accepted.

> > i know you don't.  means samba will never be fully nt-domain
> > interoperable.
>
> Well, in order for Samba to store a non-local SID in an
> ACL set it must have some way to store it in the filesystem.
>
> POSIX doesn't allow this.
>
> If this is the problem that means "samba will never be fully
nt-domain
> interoperable" then I'm sorry, but I can't fix all the POSIX
> systems in the world.

I tried to argue in a mail to you (Jeremy) this morning that this does
not need to be stored in the file system. Take the very common
situation where samba is a domain member.

A domain user (owned by the domain PDC's SAM) is allowed to access
files on our server. For that to be done correctly, samba needs to
know that when that username in that domain ask for a file, the user
should be mapped to that local POSIX uid. If we reverse the process,
when you look at that POSIX uid, it represents that username in that
domain. It does not represent a local user with the same username on
the samba workstation, which in NT is a completely different user. The
result is that ACLs contain remote SIDs without any change to the file
system, only through keeping a one to one mapping between POSIX users
and NT users.

This is the short story, and I'd be very interested in seing a
response to my previous mail.

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se





More information about the samba-technical mailing list