extending nss and examples/nss a bit

Luke Howard lukeh at PADL.COM
Wed Jan 14 07:16:14 GMT 2004

Also, rather than adding Windows security-specific API it would be nice
to see (and perhaps more likely to be accepted) an API for mapping 
arbitrary identities given the constraints of POSIX, e.g.:

/* map a qualified internal security identity to a mapped identity */
/* eg map an NT SID to a POSIX UID/GID */
enum nss_status _nss_XXX_map_qisid(qualified_isid_t *qisid,
				   mapped_isid_type_t type,
				   mapped_isid_t *misid);

/* un-map a mapped internal security identity to a qualified one */
/* eg map a POSIX UID/GID to an NT SID */
enum nss_status _nss_XXX_map_misid(mapped_isid_t *misid,
				   qualified_isid_type_t type,
				   qualified_isid_t *qisid);

cf: http://www.ietf.org/internet-drafts/draft-williams-nfsv4-ace-mapping-01.txt.

Note the use of the term "sid" above is not identical to Windows SIDs,
so read the above document first :-)

I am in favour of a well thought out mapping API that can eventually be
exposed by the C library, even if initially implemented only by some
specific modules whose consumers are the applications themselves (rather
than NSS). APIs are hard to change, and an identity mapping API that
does not directly expose Windows security primitives has a chance of
being accepted not just by glibc, but also by other UNIX vendors.
It also ties in with others' NFSv4 efforts.

But maybe this jet lag is just making me idealistic :-)


-- Luke

>From: Luke Howard <lukeh at PADL.COM>
>Subject: Re: extending nss and examples/nss a bit
>To: tridge at samba.org
>Cc: jerry at samba.org, Volker.Lendecke at SerNet.DE, simo.sorce at xsec.it, samba-technical at samba.org
>Date: Wed, 14 Jan 2004 14:31:23 +1100
>Organization: PADL Software Pty Ltd
>Versions: dmail (bsd44) 2.4c/makemail 2.9d
>>Once you do this I think it is fairly natural to start extending nss
>>within the spirit of the nss framework of calls. The nss_sidtoname()
>>is the obvious syntax in keeping with the other standard nss calls,
>>and I think would be quite a sane extension to actually add to the nss
>>standard at some stage. While at the moment the call is only available
>>via dlopen() I hope that it will eventually be available in glibc and
>>other C libraries to provide a much better degree of interoperability
>>with the MS world.
>We can add similar functions to nss_ldap, too. But it would be useful to
>discuss the API at least at a high level with the appropriate glibc folk
>(Ulrich was the last person who let me add an NSS interface about six
>years ago -- the getaliasbyname() stuff which came from NEXTSTEP :-)).
>-- Luke

More information about the samba-technical mailing list