Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Dec 30 07:42:00 GMT 1999
> Ay. I should clarify what I'm thinking here:
>
> - I agree that the current uid/gid->RID-of-local-SID algorythmic
> mapping works fine as it is.
for SID-creation? for SID-creation of SIDs in a samba server's local SAM
database? i agree, too. the mapping to create SIDS when you have a
private/smbpasswd file is good. limited (it doesn't do aliases, only
users and groups), but good enough. also limited to not being able to do
BUILTIN domain, but good enough.
i can live with it :-)
particularly as it's only one "smb passwd" implementation.
there are, fortunately, other implementations, such as the ldap smb passwd
instance, which can be designed to have BUILTIN domaiin support, and
supportys for aliases as well as domain-0groups.
> - I agree that letting Samba optionally use an API to an external SURS
> database would be fine (this represents very little extra code in
> Samba). Samba wouldn't have to implement any complex mapping
> function: it would let an external library do whatever it is that it
> does.
this to be used to resolve uids/gids to SIDs, and vice-versa? i also
agree.
> Also, some organizations do have the tools needed to keep Unix and NT
> user/group databases in sync. I've said that before. For those who do
> have these tools having Samba + SURS tables would be nice, but the
> difference is cosmetic (as I've said before).
it _shouldn't_ be necessary to do that. USRMGR.EXE _should_ be
sufficient, along with editing /etc/passwd or equivalent.
if the entire combined smb and unix password database is in LDAP, then
that would be _really_ neat, you can bypass USRMGR.EXE and vi and use
ldap-management tools insteeead.
> I've found a way to agree with both you and Luke (not that I'm the
> pragmatic type). You dispelled my concern about Samba and multiple
> domains in another e-mail, so my interest in SURS goes back to being
> mild.
i went away to sleep for a few hours. let me know if my comments on the
discussion while i was away has any bearing on this.
More information about the samba-technical
mailing list