svn commit: samba r21881 - in branches/SAMBA_3_0/source: nsswitch passdb

Gerald (Jerry) Carter jerry at samba.org
Tue Mar 20 02:55:42 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Peach wrote:

> Gerald (Jerry) Carter wrote:
>> I'm not sure about the pdb_interface though.  This allows the
>> passdb sid_to_id function to resolve things like NT_AUTHORITY to
>> a gid which is definitely a change in behavior.  Do the WKN sids
>> really need to be mapped to a gid.  In the past these have only
>> been on concern in the NT_USER_TOKEN.
> 
> Open Directory maps these well-known SIDs by default:
> 
> S-1-5-11
> S-1-5-13
> S-1-5-18
> S-1-5-1
> S-1-1-0
> S-1-3-1
> S-1-5-4
> S-1-5-2
> S-1-3-0
> 
> I guess the alternative to pushing these through to the 
> passdb backend would be to let the default idmap module
> handle them. I figured that this would break the local
> vs remote division though.

Yeah.  I agree the local vs. remote distinction between
passdb and idmap is good and this would technically fall
under that rule.  But historically, Samba has not mapped
the well known SIDs to gids as they were only used in
the NT token.

I don't see any reaons to allow or encourage people to
start mapping these SIDs now.  They don't offer us any
additional functionality that we don't already have with
BUILTIN or local groups.

I understand that Apple does map these to gids but I'm
not sure that's a good idea.  Other people should weigh
in on this I think.  Maybe I'm missing something.



cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF/00uIR7qMdg1EfYRAlZTAKC4i8DyzxukFb/WnAh7x6C8gGrzSgCfewsm
xAA45rlKP6Ufat5k7lOl0XA=
=pFQx
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list