[Samba] Samba4, idmap.ldb & ID_TYPE_BOTH
abartlet at samba.org
Sat Feb 21 12:26:39 MST 2015
On Thu, 2015-02-19 at 17:15 +0000, Rowland Penny wrote:
> This all leads me to my questions, why, when it comes to idmap.ldb,
> a user also be a group and a group can also be a user and why was it
> setup like this in the first place ? , there must be a reason for it.
It goes like this:
- Groups can own files (there are groups like domain administrators
that own files in sysvol)
- We don't (eg in sidHistory, or when files are migrated, preserving
permissions, from a workstation or from a domain that is not trusted)
always know if an incoming SID is a user or group.
- Working out if an arbitrary SID is a user or group takes time and
network operations, which may fail. ID_TYPE_BOTH is both fast and
deterministic in this respect.
My view is that we should always have mapped SIDs to both a UID and GID,
and I understand that in general, we are doing that now in new backends.
See for example idmap_rid and idmap_autorid.
The only tricky bit is that while a user can be put in an extra group to
pick up any permissions assigned to it as a group, a group can't get
user-based permissions, so can't obtain the extra rights associated with
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba