unpack_nt_owners fails with owner S-1-5-32-544

simo idra at samba.org
Wed Oct 25 19:39:42 GMT 2006


On Wed, 2006-10-25 at 18:13 +0200, Volker Lendecke wrote:
> On Wed, Oct 25, 2006 at 07:21:05AM +1000, tridge at samba.org wrote:
> >  - once we know which type the SID is, update the sidmap database to
> >    flag which type it is, but also keep in the database the 'wrong'
> >    mapping, keeping the incorrect gid or uid reserved.
> 
> One problem here: The role as perceived by Samba can change.
> A user SID that we get as such in the token can show up in
> the groups list via the sidHistory feature later on. This is
> a different problem, but I just wanted to note that "once we
> know which type the SID is" is not as fixed as you might
> wish.

Yeah, the only solution to be able to access files is that you map that
SID to a group and store an ACE for that group, this is one of the
reasons I crazily talk of unifying the UID and GID spaces into the GID
space :-)
At least for this kind of SIDs it seem there is no other way, and if we
think that any SID can become a sidHistory in time (as a previous normal
domain can be migrated to a new domain) then we are really back to
consider always adding a "user-group" ACE anyway.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list