Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Leslie M. Barstow III
phoenix at faerealm.com
Thu Dec 30 07:56:15 GMT 1999
I think we're not as far out of agreement here as it looks:
* tables vs. algorithms: Samba can generate outgoing (PDC) SIDs by
algorithm. Inbound, it currently uses usernames. This *could* be
strengthened with the Domain authentication code returning a SID -
different users with the same username on different domains could
confuse this, as could re-using names on the same domain. A table-based
solution would ensure we got the right one.
(note: this scenario shows poor advance planning, but sometimes that's
the only planning you get - departments and companies merge...)
* table code: doesn't need to be maintained in Samba; it can be a seperate
library. Personally, I think it could go into libsmb without being
much of a maintenance drain, but it's not necessary.
* winbind: Samba *could* use winbind to do it's uid resolution, but
needs to pass a full "user at domain" name to ensure proper identification.
I'm not sure all systems' getpwnam() functions are up to handling long
names, though. Also, this does not lock out name re-use, and NT
encourages it by doing all authentication based on SID (not
name) - Samba has the right info, Winbind wouldn't. Also, Winbind
should be using a table lookup to prevent confusion in complex
configurations.
* SURS table maintenance: Jeremy has a good point here. It needs to be
updated reliably by programs accessing this interface (the api itself
does not show a need for accessing NT to validate these items - it
only stores the information. Another program would seem to be
responsible for maintaining the table.
* A real solution: Is going to be a long time coming. PAM offers the
ability to set tickets, and XFS can set arbitrary attribute fields,
but the rest of the system calls and compatability just aren't there.
--
Leslie M. Barstow III | http://www.faerealm.com/phoenix
phoenix at faerealm.com | Linux and Apple][GS links: computers/
PGP key at www.pgp.com | Fight junk e-mail abuse!: computers/spam/
Wow! It all fits. |
More information about the samba-technical
mailing list