New approach for winbind to match Windows to UNIX users and back

[Michael Fair]

I haven't done much work in this are yet so please feel
free to correct me as you see fit, but as I understand it,
part of the problem we face is that the equivalents of
the UID and a GID in UNIX, are mapped to the same address
space in Windows.

I was working on some unrelated ACL stuff and thought
about the potential of practically eliminating the use
of an ACL on a UID and only using ACLs on groups.

Most Linux implementations these days put the UNIX user
in a group of the same name by default.  If the GID for
the user unique group was made to match the ID from
windows then every UNIX user could be mapped into the
WINDOWS namespace via its GID.

Further, every windows user and group could be mapped
into the UNIX space by simply by adding a GID for it.

UNIX users that mapped to Windows users could be
identified by adding the UID to the Windows based
GID for that user.

Now whenever the administrator wanted to provide some
sort of ACL for the user, they'd do it via the group
identifier.

If the groups were published in LDAP, then winbind
wouldn't need to do any additional mapping since it
could just take the Windows Identifier and use it
directly as a GID.

I might be smoking something and missing some large
gaps, but it seems that approaching the single
namespace of Windows, with a single namespace from
UNIX (namely the groups interface) and then using
the UNIX uid to map the UNIX users to the Windows
space elegantly addresses some of the complications
between the two systems.

Thoughts?

-- Michael --