[Samba] Samba4, idmap.ldb & ID_TYPE_BOTH

Andrew Bartlett abartlet at samba.org
Sat Feb 21 12:26:39 MST 2015

On Thu, 2015-02-19 at 17:15 +0000, Rowland Penny wrote:
> This all leads me to my questions, why, when it comes to idmap.ldb,
> can 
> a user also be a group and a group can also be a user and why was it 
> setup like this in the first place ? , there must be a reason for it.

It goes like this:

 - Groups can own files (there are groups like domain administrators
that own files in sysvol)
 - We don't (eg in sidHistory, or when files are migrated, preserving
permissions, from a workstation or from a domain that is not trusted)
always know if an incoming SID is a user or group.  
 - Working out if an arbitrary SID is a user or group takes time and
network operations, which may fail.  ID_TYPE_BOTH is both fast and
deterministic in this respect. 

My view is that we should always have mapped SIDs to both a UID and GID,
and I understand that in general, we are doing that now in new backends.
See for example idmap_rid and idmap_autorid. 

The only tricky bit is that while a user can be put in an extra group to
pick up any permissions assigned to it as a group, a group can't get
user-based permissions, so can't obtain the extra rights associated with
file ownership.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list