New approach for winbind to match Windows to UNIX users and back

Andrew Bartlett abartlet at samba.org
Thu Mar 13 00:32:28 GMT 2003


On Thu, 2003-03-13 at 10:38, Michael Fair wrote:
> I haven't done much work in this are yet so please feel
> free to correct me as you see fit, but as I understand it,
> part of the problem we face is that the equivalents of
> the UID and a GID in UNIX, are mapped to the same address
> space in Windows.
> 
> I was working on some unrelated ACL stuff and thought
> about the potential of practically eliminating the use
> of an ACL on a UID and only using ACLs on groups.

I think this is a very good idea.  We would effectivly create a 'user
private group' for every winbindd user.  And if they turned out to be a
group, then we just populate them with members!

This helps us particularly with the problem that we don't know the type
of a SID without a lookup - a lookup that may well fail.

> Most Linux implementations these days put the UNIX user
> in a group of the same name by default.  If the GID for
> the user unique group was made to match the ID from
> windows then every UNIX user could be mapped into the
> WINDOWS namespace via its GID.
> 
> Further, every windows user and group could be mapped
> into the UNIX space by simply by adding a GID for it.

Exactly.

> UNIX users that mapped to Windows users could be
> identified by adding the UID to the Windows based
> GID for that user.

We only need to do this for the Windows->unix layer, for unix->windows
we can match it more on the existing lines - but given the name-space
conflict, we might look into somthing here too.

> Now whenever the administrator wanted to provide some
> sort of ACL for the user, they'd do it via the group
> identifier.

This is where things get messy.  For ACLs changed via Samba, it's all
fine, but we need to watch out that we don't create a mess for ACLs
changed via local tools - and no, you can't trust the user's to 'do the
right thing'.

That said, if the user's get all the right groups at initgroups() time
(including their new primary gid) it shouldn't matter.

> If the groups were published in LDAP, then winbind
> wouldn't need to do any additional mapping since it
> could just take the Windows Identifier and use it
> directly as a GID.

This has the problem that we have multiple domains.

> I might be smoking something and missing some large
> gaps, but it seems that approaching the single
> namespace of Windows, with a single namespace from
> UNIX (namely the groups interface) and then using
> the UNIX uid to map the UNIX users to the Windows
> space elegantly addresses some of the complications
> between the two systems.
> 
> Thoughts?

This would also solve a nasty problem we have that we don't know the
'real' primary group of every user for NT4 domains, when doing a
getgrent().  Instead we assume 'domain users'.  This would allow us to
always know that value.

This solve quite a large problem space, but probably creates of of it's
own.  It does deserve some serious attention.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030313/5af3b109/attachment.bin


More information about the samba-technical mailing list