Commit my stuff to 3.0?
Jean Francois Micouleau
Jean-Francois.Micouleau at dalalu.fr
Mon Oct 14 08:09:02 GMT 2002
On Sun, 13 Oct 2002, Andrew Bartlett wrote:
> Volker.Lendecke at SerNet.DE wrote:
> > My solution for this is mapping users not in the 'rich' pdb backend to
> > S-1-5-33-uid (no typo!). This is the newly created 'local unix
> > auth'. lookupsid should return 'not mapped', as NT4 would after that
> > look up 'local unix auth'#1c... W2k shows the SID in plain text, NT4
> > shows 'local unix auth\account unknown'
>
> This could have interesting security implications - becouse each
> fileserver will be serving rids in the same RID space, and becouse of
> how NT copies ACLs with a file. When you copy this file back, it's now
> got permissions in 'unexpected' groups. Under NT these groups would be
> full SIDs, so be restricted as such - but under this they would map back
> to gids, which have a different meaning.
That is a very good point and a major objection to the S-1-5-33-uid idea.
let me explain: if you copy a file with its ACL (like w2k does) between 2
samba pdc servers, and that ACL contains a S-1-5-33-uid, you end up giving
access to an unknown user.
S-1-5-33-uid can map to a user on domain1 and map to another user on
domain2
so I propose to map the users to the normal domain SID (S-1-5-21-x-y-z)
and create their accounts with the ACCOUNT_DISABLED flag.
J.F.
More information about the samba-technical
mailing list