sambaSID in the sambaSamAccount a good idea?

Andrew Bartlett abartlet at
Wed Jun 25 07:46:22 GMT 2003

On Wed, 2003-06-25 at 17:11, Volker Lendecke wrote:
> On Wed, Jun 25, 2003 at 09:55:12AM +1000, Andrew Bartlett wrote:
> > The correct solution (for which I'll produce a patch) is to assert that
> > the SID stored in secrets.tdb is always the SID stored in LDAP for the
> > domain, and update secrets.tdb is we need to.
> Hmmm. I'm still not convinced.
> What does this gain us feature-wise, not implementation-wise? IMO a change in
> behaviour should really be backed by a good new feature that we get.

A consistent ldap IDMAP.  (Otherwise we would need to special-case
between entries in this domain (using rids), and entries in others
(using full sids))

> A little argument might be that NT only stores the RID in its SAM as well, as
> you can see from the SAM_ACCOUNT_INFO delta.

And Win2k only stores SIDs in LDAP.  

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list