Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Todd Sabin
tastas at home.com
Thu Dec 30 22:27:30 GMT 1999
Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> > > > >
> > > > > and what happens when you select a samba server in show-users from an NT
> > > > > workstation?
> > > > >
> > > > > yes, this is possible.
> > > > >
> > > >
> > > > Only if the samba server is the DC (or trusted DC) of the machine
> > > > whose file you're manipulating. Those are the only machines you can
> > > > show users from. Which is as it should be, because those are the only
> > > > accounts that the machine can authenticate. The GUI is smart enough
> > > > to limit your choices to those that actually make sense.
> > >
> > > are you sure? and what a bout cacls.exe?
> >
> > Yes, I'm sure (about the GUI); it's been true for years. I don't know
> > about cacls. Nothing stops you from putting bogus SIDs in ACLs at the
> > API level, so it's possible that cacls might let you do it. If it
> > does, though, those ACEs would be total deadweight, as noone could
> > authenticate as one of those accounts.
> >
> >
> > Todd
> >
>
>
> i'm thinking of using cacls (or the GUI, but you tell me it can't be done)
> to add a _valid_ SID on some arbitrarily selected workstation. for files
> access on a nother local workstation.
Yes, I understand, but it's pointless to do so. There's no way for
someone to prove to WKSA that they are user WKSB\foo. A machine can
only authenticate users managed by machines that it has a trust
relationship with. Workstations don't have trust relationships with
each other.
I meant 'bogus SID' in a relative sense, i.e., any SID that a machine
could never authenticate. Whether or not it is actually defined
somewhere else. Sorry, that probably wasn't clear.
Todd
More information about the samba-technical
mailing list