Security Identifier (SID) to User Identifier (uid) Resolution System

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Tue Jan 4 18:18:00 GMT 2000 

> -----Original Message-----
> From:	Luke Kenneth Casson Leighton [SMTP:lkcl at samba.org]
> Sent:	Thursday, December 30, 1999 3:01
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	Re: Security Identifier (SID) to User Identifier (uid)
> ResolutionSystem
> 
> On Thu, 30 Dec 1999, Jeremy Allison wrote:
> 
> > Michael Stockman wrote:
> > > 
> > > As far as I can see the algorithmic solution is good for all users
> > > samba accepts that belong to samba's SAM (implemted in smbpasswd,
> > > LDAP, NIS or whatever). However it seems to me that this is not the
> > > case when samba is supposed to accept users belonging to a remote SAM.
> > 
> > What *exactly* do you mean by "accept". This is the crux of the 
> > discussion. Currently Samba "accepts" logons by name. Samba only
> > accepts SIDs in ACL set requests. It currently doesn't accepts a
> > non-local SID  in an ACL set request, and I don't think it should.
> 
> i know you don't.  means samba will never be fully nt-domain
> interoperable.
> 
	This is actually something I've spent most of the holiday thinking
about, as an offshoot of my work with extending Samba's ACL support.  (it
was somewhat of a suprise to come back today, check my mail, and find out
that the rest of you folks had been thinking of the exact same things :P)

	To reinforce Luke's point, what the problem boils down to is this:

	Samba can ONLY fully participate in an NT Domain environment IFF it
is possible for Samba to have (and be aware of) 1:1 mappings between
specific SIDs and specific POSIX uids/gids.

	This ONLY way to accomplish this is to have a consistent, two-way
mapping DIRECTLY between SIDs and uids/gids (that is, there should be no
intermediate mapping stage relying on names, since there is not always a 1:1
mapping between names and SIDs).

	Since the SID space is so much larger than the uid/gid space, the
ONLY way to accomplish that is by having something like Luke's SURS table.
Fine, winbind can worry about that for the most part, but one way or another
Samba DOES need to be able to query which local "POSIX identities" are
EQUIVALENT (for security purposes) to certain remote SIDs (implying a 1:1
mapping), or, to the best of my understanding, some NT domain functionality
simply cannot be made to work, or will "work" in rather bizzare (and
consequently undesirable) ways.

More information about the samba-technical mailing list