SURS is not SAM (was Re: FW: Speed comp. TNG & 2.2.alpha (fwd))

[Elrond]

On Wed, Mar 07, 2001 at 06:04:47AM +1100, Luke Kenneth Casson Leighton wrote:
[...]
> ... *thinks* ...
> 
> > 
> > Okay, spoolssd will inherit its complete security context
> > from smbd, including the unix-sec-ctx.
> 
> true.  _however_: you are correct.  it is possible to over-ride this when
> an authenticated DCE/RPC connection is requested.

Which is exactly, what I've outlined in my
dbmsrv-paragraph. ;)

[...]
> > While the before-SURS has some other horrible complex
> > stories...
> 
> urrr.... i think you may be thinking of the wrong thing.
> 
> take entries in "map username".
> 
> take smbd sesssetupX request username and domain name.
> 
> put through "map username"

You mean: Apply the mappings? Right?


> then put result through NETLOGON authentication.

That wont work!

I try to log in as remotedom\elrond, it maps me to
remotedom\uninterestinguser and THEN tries to ask
netlogon.

I don't know the pw for that user!!

(Remember my big style scenario, you don't want all the
people in the university to have the same pw, do you? ;-))

netlogon will fail!

What am I missing?




> then put NETLOGON result through SURS to get uid and gids from user-RID
> and group-RIDs all concatenated with the domain SID which is implicit, 
> [and don't forget other-SIDs!]

Okay, that sounds fine again.


[...]
> > hehe... I do remember... I once was requesting this
> > somewhat, because I didn't want to see netlogond linking to
> > libsamrpass.so. ;)
> 
> *sigh*.  yeah.  but it hammers the ncalrpc interface for not exactly a
> good reason.  *sigh* :)

Well... I was thinking about static-linking platforms and
doubled code and the like and having one central daemon
dealing with exactly one job.

But I'm fine with libsamr*.


> luke


    Elrond