[Samba] sid_to_uid: Domain controller lookup missing

Christopher Odenbach odenbach at hni.uni-paderborn.de
Tue Sep 17 06:02:20 GMT 2002 

Hi,

> > with samba WITHOUT using winbind. Sorry, but this is not acceptible
> > for me (and for sure quite a few other people).
>
> You are incorrect. ACLs in Samba work without winbindd.
> The problem occurs when you want to use the Domain SIDs
> from a different authority than the Samba server in an
> ACL.

OK, I had understood this. But: My samba server _is not_ the authority 
in our net, it is just an ordinary domain member. So it _has_ to ask an 
authority, so to say a PDC or BDC.

> To boil it down. Imagine you have 2 unix systems using
> /etc/passwd. You have a user "jill" in both systems with
> a different uid - both of which are in use on the other
> system. Explain how to set up a POSIX ACL on either machine
> which contains both "jill" users. That is the problem you
> are trying to describe - no Windows or Samba involved.

No, no. The situation you describe includes two user databases which 
partially the same usernames but different uids. Is is absolutely clear 
that I cannot mix them up to say one ACL entry which only contains 
uids, or names.

On the other side in my case I also have two user databases, unix 
passwd (or yp) and NT SAM. BUT: there is a clear mapping between them! 
Each user on NT also exists on unix with the same username. So there is 
a translation from one user database to the other - the name. To get 
the ids (uid or sid) one has to request the authority of each of these 
databases (UNIX: YP-Server, NT: PDC or BDC). This should not be too 
difficult, so I don't understand why you didn't design it this way in 
the first case. :-)

> winbindd is one solution to this.

Yes - if you give up yp or nis+ or ldap or /etc/passwd ...

> If you don't try and do this, you don't have problems with
> ACLs.

But can I make a samba server a domain master without totally 
screwing up my NT servers? This does not sound really correct to me.


Hey, I am sucking up every advice I can to get this running, so thank 
you for the discussion! :-)

Christopher

More information about the samba mailing list