mapping from NT users to Unix users. question.
John E. Malmberg
wb8tyw at qsl.net
Thu Jan 20 05:38:16 GMT 2000
From: Luke Kenneth Casson Leighton <lkcl at samba.org>
> i have a slight issue to consider. when giving out home directories, a
> user logs in as "NTuser" and gets mapped to "unixuser", i wonder if it's
> better to return \\server\unixuser as the home directory instead of
Nt users get the home directory given to them as the environment
variables %homeshare% %homepath% concatenated together. That is the only
safe way to reference them on an NT system.
This accomodates the two policies in use.
One policy is to have a share for each user. In which case the %homeshare%
indicates the share, and usually %homepath% = "\".
When this policy is followed, the users are usually ignorant of the actual
share name as a drive letter is such as "h:" is mapped to it.
This policy is more convenient to the system administrator, as it does not
impact anyone to move them from one disk or server to another.
The other policy is to have multiple users on one share. In this method the
%homepath% parameter becomes important, and also people will be expecting it
to match the username. As to what username to use when the NT and UNIX user
do not match, that is a good question, almost one that should be a
parameter, or possibly a symlink.
Based on my experiences with problems with my briefcase, and Microsoft
Cluster Server, it appears that Microsoft seems to be more oriented to using
the second policy.
This is based on the problems that occur when a server has a lot of shares
that are not hidden from browsing.
The original Microsoft cluster server before Service Pack 4, could not
handle 900 enumerated shares. With Service Pack 4, you specifiy a directory
that contains any number of directories to be shared, optionally with the $
suffix so that they are hidden from the browse list.
And I mentioned before the problem that "My Briefcase" has when there are
too many visable shares on a server.
This is making me guess that while Microsoft prefers the second policy,
because less things seem to break performance wise when it is used, but
there is significant user demand for the first policy.
My personal preference would be to map to the host system username, and to
set the host system username to be the same as the NT username.
However your SURS table would allow on a host system that supports ACLs the
creation of a single POSIX account that just gets the identifiers needed to
access the objects indicated by their NT group membership. Another way to
implement appliance mode.
I do not know if this helps with your decision any, but it becomes a trade
off in simple code against being flexible for different existing policies.
wb8tyw at qsl.net
More information about the samba-technical