Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Jeremy Allison
jeremy at valinux.com
Wed Dec 29 21:56:31 GMT 1999
Luke Kenneth Casson Leighton wrote:
>
> 2) when _any_ SID comes in, the same rid-uid function is used. any SIDS
> that do not match the SAM SID at the front are REJECTED.
>
> the rejection bit is what i object to about this algorithm.
That's where we differ. We can only allow this if we have a
mapping table. You want one. I don't. That's the core of
this argument.
> if a SURS table existed, (db implementation) we could map, say,
> SAMBASERVERDOMAIN\user1 to uid500, and DOMAIN2\user1 to uid501, and
> DOMAIN3\user1 to uid502, where uid500 has a unix pw entry name of user1,
> uid501 has D"user1 and 502 has D3user2. slightly painful, but not as
> stupidly limiting as thininkg that i think remote users exist on POSIX!
And what happens when these account databases get (separately)
updated. If people forget to update the mapping table you
are *hosed*. Admins will burn you in effigy for designing
this.
I can't imagine *any* admin saying, "oh yes, that's just
what we need - *ANOTHER* account database (which is what
a mapping table is) to keep in sync with all the others
we have. Mmmm, yes. That'll make our jobs *much* easier..."
NOT !
:-).
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list