Setting ACLs when creating files from Windows

[simo]

On Thu, 2008-08-07 at 15:41 +0200, Kai Blin wrote:
> On Thursday 07 August 2008 13:48:13 simo wrote:
> 
> > To be honest, windows machines can store in the file system just any SID
> > handled to them, but they will never do any mapping server side.
> > So if you take 2 windows client and try to set the SID of user Foo on
> > client 1 on client 2, user Foo of client 2 will not actually be able to
> > access the resource, as the SID will not match.
> 
> So basically this would work in Samba4? As far as I understand, the limitation 
> is that S3 requires foreign SIDs to map to a user, and as the servers are 
> running standalone, winbind is not used for uid<->sid mapping.
> Samba4 currently maps whatever SID to a unix uid if it needs to pass it to 
> something that only understands uids/gids, always making use of winbind for 
> this mapping. This sounds like what Windows is doing, just that we need to do 
> the sid<->uid step to keep POSIX filesystems happy.

Samba3 could do the same with winbindd running, the problem is that
usually you do not want to allocate random SIDs. The reason is that the
UID space is limited compared to the SID space and if you allow any SID
to be set without verifying it is actually an allocated one you open a
simple path for a DOS (create a fake Domain SID, then run through all
RIDS for that fake domain SID and set the resulting SIDs on a file one
by one, and you have depleted all available UIDs in a moment).

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>