ACL / SD support

Tue Feb 15 23:44:07 GMT 2000

if you have posix acls, you're going to have to write _some_ sort of
conversion, the conversion is unavoidable.

if you have HPUX acls, you have to write _some_ sort of conversion, the
conversion is unavoidable.

what i don't get is why you want to convert from security descriptors to a
new, intermediate, internal API that has to support both a maximum _and_ a
minimum of the functionality provided _by_ security descriptors, it
doesn't buy you anything.

does it?

On Wed, 16 Feb 2000, Michael Stockman wrote:

> Hello,
> 
> > > The intent is to make an API to uniformly work with SDs in samba,
> > > regardless of the format it is saved in. I think it would be good
> if
> > > you wouldn't have to write one samba implementation for each SD
> >
> > that's unavlidable, michael, which is why i don't understand why
> you're
> > going with this alternative impl. to SDs.
> 
> Why is it unavoidable? In fact, it is impossible to do it any other
> way. If you can write a samba that works on one system and one that
> works on another, you could write one that works on both.
> 
> > > If the target system support SIDs, what type would uid_t be? How
> would
> > > we get the SID from the file system? My guess is that a SID
> filesystem
> > > have a SURS table and only return uid_t/gid_t to us. In other
> cases,
> >
> > the surs table (controlled by sursswitch.conf) is independent of the
> > filesystem.  it has to be.
> 
> Which doesn't answer my question, what do we get from the file system?
> 
> > > I believe that as long as you don't want to send the ACL to the
> client
> > > (use it for access checking) no conversion at all will be
> necessary. I
> > > think you both obtain uid and all gids in the session setup, and
> hope
> > > you hang on to them. If so, then no conversion is needed there
> either.
> >
> > and the NET_USER_INFO3 structure, which contains NT user SID, NT
> primary
> > group SID and user's NT groups.
> 
> Are you saying that you are disposing the unix uid and gids? I know
> that each NT user have got a uid. I thought that uid was used to
> resolve the gids and that all of the uid and gids were resolved to
> those SIDs you say you have. If you don't save them, maybe you should?
> If this is wrong, I'll make an argument for the actual case.
> 
> > > I see hell for you, Luke, as NT is using the same access bits with
> > > different meaning depending on which object the ACL is associated
> >
> > yes.  however, they are consistent.
> 
> Would that be in difference to ... what? I don't think I've said
> anything that would make my SDs/ACLs inconsistent.
> 
> > you do realise that i can't use your code in, say, samrd, lsarpcd
> and
> > maybe winregd, don't you?
> 
> No.
> 
> > you do realise i'm still going to need a full, native SD access
> checking
> > routine like the one i described last week?
> 
> No, I don't see why you couldn't use a POSIX based SD checking routine
> to check the POSIX user's access to a resource, which is equivalent to
> the that of the mapped NT user. I tought we agreed that uid/gid <->
> SID is a 1 to 1 mapping. Which is used is thus unimportant, except for
> philosophical reasons.
> 
> As far as I can see, at this point you are claiming that what I'm
> doing can't be used, and I can see no reason. I'm afraid I'm too
> offensive in my argument, but I'm trying to make sure I'm getting your
> points and that you get my points as I mean them.
> 
> Best regards
>   Michael Stockman
>   pgmtekn-micke at algonet.se
> 
> 
> 

<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
<a href="http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href="http://samba.org"      > Samba Web site                  </a>
<a href="http://www.iss.net"    > Internet Security Systems, Inc. </a>
<a href="http://mcp.com"        > Macmillan Technical Publishing  </a>

ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals