ACL / SD support

Tue Feb 15 21:53:02 GMT 2000

Hello,

> > The intent is to make an API to uniformly work with SDs in samba,
> > regardless of the format it is saved in. I think it would be good
if
> > you wouldn't have to write one samba implementation for each SD
>
> that's unavlidable, michael, which is why i don't understand why
you're
> going with this alternative impl. to SDs.

Why is it unavoidable? In fact, it is impossible to do it any other
way. If you can write a samba that works on one system and one that
works on another, you could write one that works on both.

> > If the target system support SIDs, what type would uid_t be? How
would
> > we get the SID from the file system? My guess is that a SID
filesystem
> > have a SURS table and only return uid_t/gid_t to us. In other
cases,
>
> the surs table (controlled by sursswitch.conf) is independent of the
> filesystem.  it has to be.

Which doesn't answer my question, what do we get from the file system?

> > I believe that as long as you don't want to send the ACL to the
client
> > (use it for access checking) no conversion at all will be
necessary. I
> > think you both obtain uid and all gids in the session setup, and
hope
> > you hang on to them. If so, then no conversion is needed there
either.
>
> and the NET_USER_INFO3 structure, which contains NT user SID, NT
primary
> group SID and user's NT groups.

Are you saying that you are disposing the unix uid and gids? I know
that each NT user have got a uid. I thought that uid was used to
resolve the gids and that all of the uid and gids were resolved to
those SIDs you say you have. If you don't save them, maybe you should?
If this is wrong, I'll make an argument for the actual case.

> > I see hell for you, Luke, as NT is using the same access bits with
> > different meaning depending on which object the ACL is associated
>
> yes.  however, they are consistent.

Would that be in difference to ... what? I don't think I've said
anything that would make my SDs/ACLs inconsistent.

> you do realise that i can't use your code in, say, samrd, lsarpcd
and
> maybe winregd, don't you?

No.

> you do realise i'm still going to need a full, native SD access
checking
> routine like the one i described last week?

No, I don't see why you couldn't use a POSIX based SD checking routine
to check the POSIX user's access to a resource, which is equivalent to
the that of the mapped NT user. I tought we agreed that uid/gid <->
SID is a 1 to 1 mapping. Which is used is thus unimportant, except for
philosophical reasons.

As far as I can see, at this point you are claiming that what I'm
doing can't be used, and I can see no reason. I'm afraid I'm too
offensive in my argument, but I'm trying to make sure I'm getting your
points and that you get my points as I mean them.

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se