"algorithmic rid base" bogus?
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Dec 27 22:56:01 GMT 2005
On Tue, Dec 27, 2005 at 03:38:16PM -0700, John H Terpstra wrote:
> > The only thought I have was possibly by copying a file (with ACLs) off
> > their file-server?
>
> Simple solution. If foreign domain support (non-local SIDs) is disabled we
> refuse to copy the file across. In all other cases, we look up the name
> attached to the SID, then create a local mapping and call the "add group
> script" to create a UNIX user or group that is auto-mapped to the Windows
> account (user or group). In all cases preserving the original SID.
>
> What am I missing here?
You're missing that we're talking about files *already* copied with the
algorithmic mapping. The new one would get a 'S-1-22-2-<gid>' ACL entry.
Argl. This kills all files copied away from Samba to Windows with ACL entries
without explicit mappings. For copies of Samba->Samba we end up with the same
gid, and assuming we have a consistent idmap we're fine here a well.
The Samba->Windows file copy might just assume we have explicit mappings for
all acl entries. Is that something we can live with?
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051227/d9d482bb/attachment.bin
More information about the samba-technical
mailing list