Coming round to SURS...
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Tue Oct 22 18:02:12 GMT 2002
i have a question for the people who sponsor the samba team.
"when are you going to realise that your money is being
wasted by not sponsoring me as a design architect on
NT compatibility software suites for unix?"
here - yet again, another demonstration of how much money you have
been wasting.
hopefully this time this "really new" proposal - i.e. yet
ANOTHER idea and proposal introduced by me almost three years
ago - will actually get done, and done properly.
you lot: read http://cb1.com/~lkcl/cifs - the surs RFC.
remember two and only three important things, and you
will not go wrong.
if you do not remember these three things, you WILL end
up with complications, security flaws and unmanageable
sites.
1) you MUST allow mapping of a SID to both a user AND a group id.
2) mappings of SIDs to user ids MUST be both "onto" and "one-to-one".
3) mappings of SIDs to group ids MUST be both "onto" and "one-to-one".
yet another demonstration of how arrogance, pride and cruelty can
set a project back years by the simple expedient of not being
willing to listen to people who know what they're talking about.
i'm specifically referring to you - andrew - and you - jeremy.
> Hi,
>
> here's a proposal for the idmap api;
>
> we'll have a cache that will be asked first, if this fails we ask the
> central idmap and add the result to our cache.
>
> the idmap_central_* functions should be plugable/selectable (different
> backends should be allowed here)
>
> and the backend should decide how to handle unmapped id's.
>
> comments please
>
> /* idmap api */
> NT_STATUS idmap_sid_to_id(DOM_SID *sid, int *id, BOOL *group);
> {
> if (NT_STATUS_IS_OK(idmap_cache_sid_to_id(sid,id,group)))
> {
> return NT_STATUS_OK;
> }
>
> if (!NT_STATUS_IS_OK(idmap_central_sid_to_id(sid,id,group)))
> {
> return NT_STATUS_UNSUCCESFUL;
> }
>
> idmap_cache_update(sid,id,group);
> return NT_STATUS_OK;
> }
>
> NT_STATUS idmap_uid_to_sid(uid_t uid, DOM_SID **sid);
> {
> if (NT_STATUS_IS_OK(idmap_cache_uid_to_sid(uid,sid)))
> {
> return NT_STATUS_OK;
> }
>
> if (!NT_STATUS_IS_OK(idmap_central_uid_to_sid(uid,sid)))
> {
> return NT_STATUS_UNSUCCESFUL;
> }
>
> idmap_cache_update(sid,uid,False);
> return NT_STATUS_OK;
> }
>
> NT_STATUS idmap_gid_to_sid(gid_t gid, DOM_SID **sid);
> {
> if (NT_STATUS_IS_OK(idmap_cache_gid_to_sid(gid,sid)))
> {
> return NT_STATUS_OK;
> }
>
> if (!NT_STATUS_IS_OK(idmap_central_gid_to_sid(gid,sid)))
> {
> return NT_STATUS_UNSUCCESFUL;
> }
>
> idmap_cache_update(sid,gid,True);
> return NT_STATUS_OK;
> }
>
>
> metze
> -----------------------------------------------------------------------------
> Stefan "metze" Metzmacher <metze at metzemix.de>
>
>
> --
> Luke Howard | PADL Software Pty Ltd | www.padl.com
--
----------------------------------------------------------
this message is private, confidential, and is intented for
the specified recipients only. if you received in error,
altered, deleted, modified, destroyed or interfered with
the contents of this message, in whole or in part, please
inform the sender (that's me), immediately.
if you, the recipient, reply to this message, and do not
then receive a response, please consider your reply to have
been lost or deliberately destroyed: i *always* acknowledge
personal email received. please therefore take appropriate
action and use appropriate protocols to ensure effective
communication.
thank you.
More information about the samba-technical
mailing list