Security Identifier (SID) to User Identifier (uid) Resolution System

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Tue Jan 4 18:16:13 GMT 2000


> -----Original Message-----
> From:	Luke Kenneth Casson Leighton [SMTP:lkcl at samba.org]
> Sent:	Friday, December 31, 1999 4:58
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	Re: Security Identifier (SID) to User Identifier (uid)
> ResolutionSystem
> 
> john, thx 4 input.
> 
> > > simulate NT ACLs, you mean.  and the mapping between NT ACLs and unix
> > > file/directory permissinos does not depend on the target unix host
> having
> > > ACLs (see above).
> > 
> > It supplies nowhere near the same utility.  Obviously it can be done,
> and is
> > being done, but you are basically limited to the owner and two built in
> > groups, and having to deal with the READONLY bit.
> > 
> > Setting a file READONLY is easy.  Clearing the READONLY bit is
> problematic
> > for a POSIX based security system.  Should it be cleared for just Owner,
> or
> > also for Group and World?
> > 
> > (I do not quite remember what SAMBA actually does in this case.)  The
> > current main VMS port ignores those attributes, and I have not coded a
> > better implementation other than to accurately report the current ones
> for
> > the file.)
> 
> this is an "encapsulated" problem, as part of the "simulation" of NT ACLs,
> using traditional unix file permissions.
> 
> apreciate you bringing this up.
> 
	I should point out (more for the benefit of the list, than yours)
that we aren't really simulating NT ACLs (we can't) -- the ACLs/triads have
the semantics assigned them by the underlying system, rather than NT.
There's no way around that.  

	A system where you actually can store NT ACLs directly and use them
for access control (i.e. the NTFS driver w/ bypass that you mention
frequently) is only a degenerate case.


More information about the samba-technical mailing list