"algorithmic rid base" bogus?

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Dec 27 22:56:01 GMT 2005

On Tue, Dec 27, 2005 at 03:38:16PM -0700, John H Terpstra wrote:
> > The only thought I have was possibly by copying a file (with ACLs) off
> > their file-server?
> Simple solution. If foreign domain support (non-local SIDs) is disabled we 
> refuse to copy the file across. In all other cases, we look up the name 
> attached to the SID, then create a local mapping and call the "add group 
> script" to create a UNIX user or group that is auto-mapped to the Windows 
> account (user or group). In all cases preserving the original SID.
> What am I missing here?

You're missing that we're talking about files *already* copied with the
algorithmic mapping. The new one would get a 'S-1-22-2-<gid>' ACL entry.

Argl. This kills all files copied away from Samba to Windows with ACL entries
without explicit mappings.  For copies of Samba->Samba we end up with the same
gid, and assuming we have a consistent idmap we're fine here a well.

The Samba->Windows file copy might just assume we have explicit mappings for
all acl entries. Is that something we can live with?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051227/d9d482bb/attachment.bin

More information about the samba-technical mailing list