New approach for winbind to match Windows to UNIX users and back

Simo Sorce simo.sorce at xsec.it
Thu Mar 13 09:46:46 GMT 2003


On Thu, 2003-03-13 at 01:32, Andrew Bartlett wrote:
> On Thu, 2003-03-13 at 10:38, Michael Fair wrote:
> > I haven't done much work in this are yet so please feel
> > free to correct me as you see fit, but as I understand it,
> > part of the problem we face is that the equivalents of
> > the UID and a GID in UNIX, are mapped to the same address
> > space in Windows.
> > 
> > I was working on some unrelated ACL stuff and thought
> > about the potential of practically eliminating the use
> > of an ACL on a UID and only using ACLs on groups.
> 
> I think this is a very good idea.  We would effectivly create a 'user
> private group' for every winbindd user.  And if they turned out to be a
> group, then we just populate them with members!

This is an approach I have proposed back last summer to Jeremy and
Tridge at Jeremy's, and that would have also cured the "problem" that
all distribution that automatically create a private group for a user
have, but seem they was not convinced so I didn't pushed the idea
anymore :-)

> This helps us particularly with the problem that we don't know the type
> of a SID without a lookup - a lookup that may well fail.

Exactly!

> This would also solve a nasty problem we have that we don't know the
> 'real' primary group of every user for NT4 domains, when doing a
> getgrent().  Instead we assume 'domain users'.  This would allow us to
> always know that value.

No, that's not right, we must have a Primary Group in local passdb and
use Domain Users as a fallback.

Simo.

-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030313/4b4fde2b/attachment.bin


More information about the samba-technical mailing list