Proposal: SIDs in smb.conf

Andrew Bartlett abartlet at samba.org
Thu Feb 16 12:51:01 GMT 2006


On Wed, 2006-02-15 at 15:39 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have a proposal that Jeremy, Simo, & I discussed briefly
> on IRC.
> 
> The problem is that certain well known groups (e.g.
> Domain Admins) is localized for non-English versions of
> Windows.  Currently we rely on the administrator to
> enter this name in its correct form as values for parameters
> such as 'write list', 'admin users', etc....
> In certain corner case situations this will fail (e.g. on
> English DC and one German DC in the same domain).
> 
> What I would like to do is to also support string
> representations of SIDs (S-1-....) in smb.conf.  The check
> would go in user_in_list() and simply call
> nt_token_check_sid() to check for membership.
> 
> I would also propose a shorthand (Simo's idea IIRC) notation
> such as S-<NAME>-###.  In this way, the admin or
> management tool would not need to know the actual domain
> or workstation SID and it at least easy to read.

I already encourage this notation for the ntlm_auth
--require-membership-of option, often placed in squid and pam config
files.  The shorthand would be easier on our users, but avoiding a
runtime name lookup is a very good thing.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060216/60bad6c3/attachment.bin


More information about the samba-technical mailing list