Why are we allocating ID_TYPE_BOTH on a user or machine SID type ?
steve at steve-ss.com
Thu Oct 17 02:20:03 MDT 2013
On Thu, 2013-10-17 at 10:06 +0200, Volker Lendecke wrote:
> On Wed, Oct 16, 2013 at 09:02:48PM -0700, Jeremy Allison wrote:
> > But in the case where a SID *is* a SID_NAME_USER or a SID_NAME_COMPUTER,
> Well, in the future if we want to support sidHistory, the
> role for SID_NAME_USER will change. What used to be a user
> will not be resolvable anymore and in future tokens will be
> presented to us as part of the auxiliary SIDs. We can only
> make use of those IDs if we put them in as auxiliary groups
> into our unix token. Yes, we need a modifed acl mapping for
> this, so it's probably not done yet. But that is another
> reason for TYPE_BOTH.
We get our user and group rfc2307 information from AD. Are we exempt
from these ID_TYPE_BOTH issues? As far as I can tell, there are certain
SID's that must ID_TYPE_BOTH and these are the ones created in idmap.ldb
just after domain provision. In our domain, nothing is added to that db
when we add a new user or group.
A one liner clarification would be great.
More information about the samba-technical