ACL / SD support

Michael Stockman pgmtekn-micke at
Tue Feb 15 21:53:02 GMT 2000


> > The intent is to make an API to uniformly work with SDs in samba,
> > regardless of the format it is saved in. I think it would be good
> > you wouldn't have to write one samba implementation for each SD
> that's unavlidable, michael, which is why i don't understand why
> going with this alternative impl. to SDs.

Why is it unavoidable? In fact, it is impossible to do it any other
way. If you can write a samba that works on one system and one that
works on another, you could write one that works on both.

> > If the target system support SIDs, what type would uid_t be? How
> > we get the SID from the file system? My guess is that a SID
> > have a SURS table and only return uid_t/gid_t to us. In other
> the surs table (controlled by sursswitch.conf) is independent of the
> filesystem.  it has to be.

Which doesn't answer my question, what do we get from the file system?

> > I believe that as long as you don't want to send the ACL to the
> > (use it for access checking) no conversion at all will be
necessary. I
> > think you both obtain uid and all gids in the session setup, and
> > you hang on to them. If so, then no conversion is needed there
> and the NET_USER_INFO3 structure, which contains NT user SID, NT
> group SID and user's NT groups.

Are you saying that you are disposing the unix uid and gids? I know
that each NT user have got a uid. I thought that uid was used to
resolve the gids and that all of the uid and gids were resolved to
those SIDs you say you have. If you don't save them, maybe you should?
If this is wrong, I'll make an argument for the actual case.

> > I see hell for you, Luke, as NT is using the same access bits with
> > different meaning depending on which object the ACL is associated
> yes.  however, they are consistent.

Would that be in difference to ... what? I don't think I've said
anything that would make my SDs/ACLs inconsistent.

> you do realise that i can't use your code in, say, samrd, lsarpcd
> maybe winregd, don't you?


> you do realise i'm still going to need a full, native SD access
> routine like the one i described last week?

No, I don't see why you couldn't use a POSIX based SD checking routine
to check the POSIX user's access to a resource, which is equivalent to
the that of the mapped NT user. I tought we agreed that uid/gid <->
SID is a 1 to 1 mapping. Which is used is thus unimportant, except for
philosophical reasons.

As far as I can see, at this point you are claiming that what I'm
doing can't be used, and I can see no reason. I'm afraid I'm too
offensive in my argument, but I'm trying to make sure I'm getting your
points and that you get my points as I mean them.

Best regards
  Michael Stockman
  pgmtekn-micke at

More information about the samba-technical mailing list