SURS is not SAM (was Re: FW: Speed comp. TNG & 2.2.alpha (fwd))
elrond at samba-tng.org
Tue Mar 6 20:10:13 GMT 2001
On Wed, Mar 07, 2001 at 06:04:47AM +1100, Luke Kenneth Casson Leighton wrote:
> ... *thinks* ...
> > Okay, spoolssd will inherit its complete security context
> > from smbd, including the unix-sec-ctx.
> true. _however_: you are correct. it is possible to over-ride this when
> an authenticated DCE/RPC connection is requested.
Which is exactly, what I've outlined in my
> > While the before-SURS has some other horrible complex
> > stories...
> urrr.... i think you may be thinking of the wrong thing.
> take entries in "map username".
> take smbd sesssetupX request username and domain name.
> put through "map username"
You mean: Apply the mappings? Right?
> then put result through NETLOGON authentication.
That wont work!
I try to log in as remotedom\elrond, it maps me to
remotedom\uninterestinguser and THEN tries to ask
I don't know the pw for that user!!
(Remember my big style scenario, you don't want all the
people in the university to have the same pw, do you? ;-))
netlogon will fail!
What am I missing?
> then put NETLOGON result through SURS to get uid and gids from user-RID
> and group-RIDs all concatenated with the domain SID which is implicit,
> [and don't forget other-SIDs!]
Okay, that sounds fine again.
> > hehe... I do remember... I once was requesting this
> > somewhat, because I didn't want to see netlogond linking to
> > libsamrpass.so. ;)
> *sigh*. yeah. but it hammers the ncalrpc interface for not exactly a
> good reason. *sigh* :)
Well... I was thinking about static-linking platforms and
doubled code and the like and having one central daemon
dealing with exactly one job.
But I'm fine with libsamr*.
More information about the samba-technical