SURS is not SAM (was Re: FW: Speed comp. TNG & 2.2.alpha (fwd))

Elrond elrond at
Tue Mar 6 20:10:13 GMT 2001

On Wed, Mar 07, 2001 at 06:04:47AM +1100, Luke Kenneth Casson Leighton wrote:
> ... *thinks* ...
> > 
> > Okay, spoolssd will inherit its complete security context
> > from smbd, including the unix-sec-ctx.
> true.  _however_: you are correct.  it is possible to over-ride this when
> an authenticated DCE/RPC connection is requested.

Which is exactly, what I've outlined in my
dbmsrv-paragraph. ;)

> > While the before-SURS has some other horrible complex
> > stories...
> urrr.... i think you may be thinking of the wrong thing.
> take entries in "map username".
> take smbd sesssetupX request username and domain name.
> put through "map username"

You mean: Apply the mappings? Right?

> then put result through NETLOGON authentication.

That wont work!

I try to log in as remotedom\elrond, it maps me to
remotedom\uninterestinguser and THEN tries to ask

I don't know the pw for that user!!

(Remember my big style scenario, you don't want all the
people in the university to have the same pw, do you? ;-))

netlogon will fail!

What am I missing?

> then put NETLOGON result through SURS to get uid and gids from user-RID
> and group-RIDs all concatenated with the domain SID which is implicit, 
> [and don't forget other-SIDs!]

Okay, that sounds fine again.

> > hehe... I do remember... I once was requesting this
> > somewhat, because I didn't want to see netlogond linking to
> > ;)
> *sigh*.  yeah.  but it hammers the ncalrpc interface for not exactly a
> good reason.  *sigh* :)

Well... I was thinking about static-linking platforms and
doubled code and the like and having one central daemon
dealing with exactly one job.

But I'm fine with libsamr*.

> luke


More information about the samba-technical mailing list