defining the new idmap subsystem
simo
idra at samba.org
Tue Oct 3 12:13:51 GMT 2006
On Tue, 2006-10-03 at 12:03 +0200, Volker Lendecke wrote:
> On Tue, Oct 03, 2006 at 12:43:49AM -0400, simo wrote:
> > We have determined that it make sense to create a mapping only if the
> > sid is really allocated (and of the right type) in the domain it belongs
> > to.
>
> First, I agree with Jeremy that flags are evil. And this
> paragraph brings me back to the old idea to allocate both a
> uid _and_ a gid whenever we map SIDs to Unix IDs. In many
> cases we just can not ask anybody about the type of SID we
> have to map.
yup.
> The example is from Tridge: Someone backs up his personal
> workstation's C: drive to a Samba box. No way to figure out
> the SIDs' types.
>
> It would also mean a change in our handling of ACLs and
> tokens: We would prefer to put the GID into the Posix ACL,
> and also put the corresponding GID into the unix upon
> session setup.
>
> One case where this is also really important (I've seen bugs
> at user sites...) is the sidHistory. A SID that came around
> as a user is not mappable anymore later on, but shows up as
> a "group" SID in the user's info3 struct after migration.
These were exactly the cases I had in mind when I say that I am not sure
lookupsid covers all the cases. You confirm my doubts.
> I think having someone working on the idmap we should really
> think about doing the dual-allocations now.
This is possible but need more discussion then.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list