ACL / SDs

[Elrond]

On Fri, Feb 25, 2000 at 04:06:24PM +1100, Luke Kenneth Casson Leighton wrote:
[...]
> > > for those people who may be thinking, "eh???", here's the crunch: a)
> > the
> > > two local SURS tables *may* contain identical lookups b) this
> > results in
> > > both local unix systems following the posix convention of usnign the
> > same
> > > local uids and gids to give the impression that both systems have
> > remote
> > > groups, and the user on both systems sees a consistent user/group
> > > view-thing.
> > >
> > > you get the idea.
> > >
> > > anyway, this is pretty off-topic for what you wanted to discuss,
> > tim, i
> > > should imagine.
> > 
> > So, in cases where samba is a PDC we'll only need to do the lookup
> > once (when we create the NET_USER_INFO3 struct, on login) and when we
> 
> yep.
> 
> > are domain members (etc.) we'll need to do a lookup once (when we get
> > sent a NET_USER_INFO3 struct, on login). Ok, this was easy :-).
> 
> yep.
> 
> i think this should be a smb.conf option thing.  "obey unix local groups"
> or "translate NET_USER_INFO3 group_rids to unix local groups".
> 
> we can sell this as "being faster" because you don't have to do a
> getgroups() twice for the same user (once on the PDC, once on the domain
> member) for the same login.
> 
> and hope like hell that the SURS implementation is fast :)


Isn't "domain group map" good for this:

Everything, that is not in the domain group map, is an
"alias" ("obey unix local groups" should do it that way,
right?), and the entries in the map may map remote
group_rids to local unix groups ("translate NET_USER_INFO3
group_rids to unix local groups").


>From a second glance, this all looks like we need a surs
for the groups too. (and the nt5ldap-surs and the tdb-surs
support that already, AFAIK)


    Elrond