New approach for winbind to match Windows to UNIX users and back

Andrew Bartlett abartlet at samba.org
Thu Mar 13 10:11:13 GMT 2003 

On Thu, 2003-03-13 at 20:46, Simo Sorce wrote:
> On Thu, 2003-03-13 at 01:32, Andrew Bartlett wrote:
> > On Thu, 2003-03-13 at 10:38, Michael Fair wrote:
> > > I haven't done much work in this are yet so please feel
> > > free to correct me as you see fit, but as I understand it,
> > > part of the problem we face is that the equivalents of
> > > the UID and a GID in UNIX, are mapped to the same address
> > > space in Windows.
> > > 
> > > I was working on some unrelated ACL stuff and thought
> > > about the potential of practically eliminating the use
> > > of an ACL on a UID and only using ACLs on groups.
> > 
> > I think this is a very good idea.  We would effectivly create a 'user
> > private group' for every winbindd user.  And if they turned out to be a
> > group, then we just populate them with members!
> 
> This is an approach I have proposed back last summer to Jeremy and
> Tridge at Jeremy's, and that would have also cured the "problem" that
> all distribution that automatically create a private group for a user
> have, but seem they was not convinced so I didn't pushed the idea
> anymore :-)
> 
> > This helps us particularly with the problem that we don't know the type
> > of a SID without a lookup - a lookup that may well fail.
> 
> Exactly!

I'm glad we agree!

> > This would also solve a nasty problem we have that we don't know the
> > 'real' primary group of every user for NT4 domains, when doing a
> > getgrent().  Instead we assume 'domain users'.  This would allow us to
> > always know that value.
> 
> No, that's not right, we must have a Primary Group in local passdb and
> use Domain Users as a fallback.

This is where I've lost what you mean...

I'm talking about winbind as a domain member, but I'm open to
suggestions.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030313/44ed4965/attachment.bin

More information about the samba-technical mailing list