Proposal: SIDs in smb.conf
Gerald (Jerry) Carter
jerry at samba.org
Wed Feb 15 21:39:26 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have a proposal that Jeremy, Simo, & I discussed briefly
on IRC.
The problem is that certain well known groups (e.g.
Domain Admins) is localized for non-English versions of
Windows. Currently we rely on the administrator to
enter this name in its correct form as values for parameters
such as 'write list', 'admin users', etc....
In certain corner case situations this will fail (e.g. on
English DC and one German DC in the same domain).
What I would like to do is to also support string
representations of SIDs (S-1-....) in smb.conf. The check
would go in user_in_list() and simply call
nt_token_check_sid() to check for membership.
I would also propose a shorthand (Simo's idea IIRC) notation
such as S-<NAME>-###. In this way, the admin or
management tool would not need to know the actual domain
or workstation SID and it at least easy to read.
Long term, we could internally convert the entire value
list from smb.conf to a list of SIDs and through away some
of the string comparisons. I can code this up pretty
quickly and post a patch if people like. I'm more curious
about other people's reaction to this.
Votes?
cheers, jerry
=====================================================================
I live in a Reply-to-All world -----------------------
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD85+OIR7qMdg1EfYRAjKDAKDBuxG42AClBAfiWLI1rvUzP7ko5ACgvJb1
YLjSTwQ6qc2/LI1Z/79CoVc=
=8DVp
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list