Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Leslie M. Barstow III phoenix at
Wed Jan 5 05:59:10 GMT 2000

On Tue, 4 Jan 2000, Stephen Langasek wrote:
> [Les Barstow wrote:]
> > Actually, I was referring to this in terms of winbind only.  Since winbind
> > would have complete control over all of this, the hack isn't quite as bad
> > as it seems.  But I agree, it is pretty bad.  I was just suggesting it
> > because the requirements of retaining SIDs within the current style
> > framework was requested.
> Well, winbind, as I've seen it proposed here, is a backend for nsswitch,
> which is configurable.  You will almost certainly want other modules besides
> winbind being used for lookups, and you will almost certainly want these
> other modules to have precedence.  Which means any user with an account on
> the local system, with access to chfn, can royally screw over any program
> which assumes an SID found in the passwd entry is correct.

You take all the fun out of it.  What you say is true.  I don't think the
current framework allows for much better than this, however.  It *would*
satisfy the request for "appliance-mode" systems.  I think keeping it out
of getXbyY() is best for now - make a new call until we can get a good
replacement auth/cred/info system.

Sun had a good start when it did PAM and NSSwitch, but it failed to
integrate them well with each other and with the system.  We really do
need a more flexible framework, but none currently exists.  This really
needs to go over to systems programming people.  I'd suggest sending it to
the Linux development team, or maybe SGI, 'cause Sun, IBM, HP, and Compaq
aren't likely to initiate something this radical. (Sun *maybe*, but
getting the request to the right people could be a chore...)

Leslie M. Barstow III  |
phoenix at   | Linux and Apple][GS links:  computers/
PGP key at | Fight junk e-mail abuse!:   computers/spam/
Wow! It all fits.      |

More information about the samba-technical mailing list