Commit my stuff to 3.0?

Jean Francois Micouleau Jean-Francois.Micouleau at
Mon Oct 14 08:09:02 GMT 2002

On Sun, 13 Oct 2002, Andrew Bartlett wrote:

> Volker.Lendecke at SerNet.DE wrote:

> > My solution for this is mapping users not in the 'rich' pdb backend to
> > S-1-5-33-uid (no typo!). This is the newly created 'local unix
> > auth'. lookupsid should return 'not mapped', as NT4 would after that
> > look up 'local unix auth'#1c... W2k shows the SID in plain text, NT4
> > shows 'local unix auth\account unknown'
> This could have interesting security implications - becouse each
> fileserver will be serving rids in the same RID space, and becouse of
> how NT copies ACLs with a file.  When you copy this file back, it's now
> got permissions in 'unexpected' groups.  Under NT these groups would be
> full SIDs, so be restricted as such - but under this they would map back
> to gids, which have a different meaning.

That is a very good point and a major objection to the S-1-5-33-uid idea.

let me explain: if you copy a file with its ACL (like w2k does) between 2
samba pdc servers, and that ACL contains a S-1-5-33-uid, you end up giving
access to an unknown user.

S-1-5-33-uid can map to a user on domain1 and map to another user on

so I propose to map the users to the normal domain SID (S-1-5-21-x-y-z)
and create their accounts with the ACCOUNT_DISABLED flag.


More information about the samba-technical mailing list