New approach for winbind to match Windows to UNIX users and back
Andrew Bartlett
abartlet at samba.org
Thu Mar 13 10:11:13 GMT 2003
On Thu, 2003-03-13 at 20:46, Simo Sorce wrote:
> On Thu, 2003-03-13 at 01:32, Andrew Bartlett wrote:
> > On Thu, 2003-03-13 at 10:38, Michael Fair wrote:
> > > I haven't done much work in this are yet so please feel
> > > free to correct me as you see fit, but as I understand it,
> > > part of the problem we face is that the equivalents of
> > > the UID and a GID in UNIX, are mapped to the same address
> > > space in Windows.
> > >
> > > I was working on some unrelated ACL stuff and thought
> > > about the potential of practically eliminating the use
> > > of an ACL on a UID and only using ACLs on groups.
> >
> > I think this is a very good idea. We would effectivly create a 'user
> > private group' for every winbindd user. And if they turned out to be a
> > group, then we just populate them with members!
>
> This is an approach I have proposed back last summer to Jeremy and
> Tridge at Jeremy's, and that would have also cured the "problem" that
> all distribution that automatically create a private group for a user
> have, but seem they was not convinced so I didn't pushed the idea
> anymore :-)
>
> > This helps us particularly with the problem that we don't know the type
> > of a SID without a lookup - a lookup that may well fail.
>
> Exactly!
I'm glad we agree!
> > This would also solve a nasty problem we have that we don't know the
> > 'real' primary group of every user for NT4 domains, when doing a
> > getgrent(). Instead we assume 'domain users'. This would allow us to
> > always know that value.
>
> No, that's not right, we must have a Primary Group in local passdb and
> use Domain Users as a fallback.
This is where I've lost what you mean...
I'm talking about winbind as a domain member, but I'm open to
suggestions.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030313/44ed4965/attachment.bin
More information about the samba-technical
mailing list