Mapping Windows groups to uids (with idmap and rid)
Kai Blin
kai at samba.org
Wed Oct 22 05:18:09 GMT 2008
On Tuesday 21 October 2008 19:35:59 Assar wrote:
> I discovered that in Windows, files can be owned by a group that this
> is not supported by Samba (3.2.3). In my case, I'm using idmap and
> rid.
It's actually not supported by POSIX.
> How can these Windows groups be mapped to uids?
>
> If my limited understanding is correct, the mapping that you have are:
> (with idmap and rid - perhaps this is not the case in general?)
>
> Windows group: SID=s0, RID=r0 <- -> gid_t = g0 = f(r0)
> Windows user: SID=s1, RID=r1 <- -> uid_t = u1 = f(r1)
Sort of. IIRC there's an idmap plugin to just map rids to uids or gids
directly. However, the RID part is only unique per domain SID. So this type
of mapping breaks down if there's e.g. trust relationships.
> And if I understand this correctly, the RID namespace is global, so
> there can never be a windows group and user with the same RID?
Well, they're unique per domain SID. But of course it's just as easy to do
what you're suggesting below with SIDs instead of RIDs.
> If that's the case, what's to stop us from defining a mapping:
>
> Windows group: SID=s0, RID=r0 <- -> uid_t = u0 = g0 = f(r0)
>
> If the RID namespace is the same, there should not exist a user with
> RID=r0 and this mapping would be unambiguous?
That's how Samba4 idmap works (if you replace the use of the RID by the full
SID). It should be possible to implement this for Samba3 as well. However,
the way Samba3 handles users is a bit different, so perhaps someone who has
more experience with the related Samba3 code can comment if this would break
any assumptions Samba3 makes.
Cheers,
Kai
--
Kai Blin
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba-technical/attachments/20081022/b062c2b6/attachment.bin
More information about the samba-technical
mailing list