Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Nicolas Williams
Nicolas.Williams at wdr.com
Tue Dec 28 15:37:37 GMT 1999
Luke/Jeremy,
The algorythmic mapping of uids/gids<->sids in Samba works fine as it
is, except that when looking at ACLs on on Unix files via Samba the
usernames and groupnames are shown as <Samba hostname>/<user/group name>
on Windows systems. This is annoying if you happen to have standards in
place which guarantee that any given uid or gid represent the same
user/group on a group of *nix hosts.
Two possible improvements over this are:
- allow administrators to specify a different SID to use as the base
for uid/gid<->sid conversions, such as a domain SID whose domain name
might indicate to users that the SID represents an entity in a domain
of *nix systems (the domain's PDC would have to be a Samba server OR
the mapping algorythm would have to match NT's POSIX subsystem's)
(Would there have to be trusts between a domain with an NT PDC and a
domain with a Samba PDC for NT clients to be able to resolve SIDs
from the Samba domain to human readable names? I would guess the
answer is "no"; the clients would probably find the Samba DCs using
NetBIOS and ask them to do the SID->name lookups.)
- implement SURS
To help in transitioning to SURS it would be nice if Samba would
fallback to the algorythmic mapping when there are no valid SURS
mappings.
Here's some details of the configurationa dn the interface to SURS as I
imagine them:
- a share-wise parameter "guid2sid mapping" whose value is of the form:
[path to SURS shared lib] [default]
If a path is given that should be the path to a library to dlopen().
If the "default" is specified then the algorythmic mapping should be
used when the SURS mappings fail or if no SURS library path was
given.
Examples:
guid2sid mapping = /usr/local/lib/samba/surs-nis.so default
guid2sid mapping = /usr/local/lib/samba/surs-nis.so
guid2sid mapping = default
- a share-wise parameter "guid2sid base sid" whose value is either a
SID, or a NetBIOS host/domain name
- a share-wise parameter "guid2sid mapping args" whose value is a
string to be passed to the init function of the SURS library.
The SURS library would present Samba with an API consisting of the
following functions:
surs_handle * surs_init(char * arg, sid_t base_sid);
surs_handle * surs_destroy(surs_handle * handle);
int surs_uid2sid(surs_handle* handle, uid_t uid, sid_t * sid);
int surs_gid2sid(surs_handle* handle, gid_t gid, sid_t * sid);
int surs_sid2gid(surs_handle* handle, sid_t sid, gid_t * gid);
int surs_sid2uid(surs_handle* handle, sid_t sid, uid_t * uid);
The int return value of the mapping functions is to be used to indicate
success or failure and the reason for the failure.
The third argument of each mapping function call is a return value.
The surs_init() function should probably also have an SMB share
connection structure as an argument.
Thoughts?
Nico
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
More information about the samba-technical
mailing list