defining the new idmap subsystem

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Oct 3 10:03:10 GMT 2006

On Tue, Oct 03, 2006 at 12:43:49AM -0400, simo wrote:
> We have determined that it make sense to create a mapping only if the
> sid is really allocated (and of the right type) in the domain it belongs
> to.

First, I agree with Jeremy that flags are evil. And this
paragraph brings me back to the old idea to allocate both a
uid _and_ a gid whenever we map SIDs to Unix IDs. In many
cases we just can not ask anybody about the type of SID we
have to map.

The example is from Tridge: Someone backs up his personal
workstation's C: drive to a Samba box. No way to figure out
the SIDs' types.

It would also mean a change in our handling of ACLs and
tokens: We would prefer to put the GID into the Posix ACL,
and also put the corresponding GID into the unix upon
session setup.

One case where this is also really important (I've seen bugs
at user sites...) is the sidHistory. A SID that came around
as a user is not mappable anymore later on, but shows up as
a "group" SID in the user's info3 struct after migration.

I think having someone working on the idmap we should really
think about doing the dual-allocations now.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list