"algorithmic rid base" bogus?
Andrew Bartlett
abartlet at samba.org
Tue Dec 27 23:10:50 GMT 2005
On Tue, 2005-12-27 at 23:56 +0100, Volker Lendecke wrote:
> On Tue, Dec 27, 2005 at 03:38:16PM -0700, John H Terpstra wrote:
> > > The only thought I have was possibly by copying a file (with ACLs) off
> > > their file-server?
> >
> > Simple solution. If foreign domain support (non-local SIDs) is disabled we
> > refuse to copy the file across. In all other cases, we look up the name
> > attached to the SID, then create a local mapping and call the "add group
> > script" to create a UNIX user or group that is auto-mapped to the Windows
> > account (user or group). In all cases preserving the original SID.
> >
> > What am I missing here?
>
> You're missing that we're talking about files *already* copied with the
> algorithmic mapping. The new one would get a 'S-1-22-2-<gid>' ACL entry.
>
> Argl. This kills all files copied away from Samba to Windows with ACL entries
> without explicit mappings. For copies of Samba->Samba we end up with the same
> gid, and assuming we have a consistent idmap we're fine here a well.
>
> The Samba->Windows file copy might just assume we have explicit mappings for
> all acl entries. Is that something we can live with?
Remembering that the user cannot have created the ACL from windows, it
must have been created with a POSIX command line tool. This narrows
down the users a *lot*.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051228/9284ed30/attachment.bin
More information about the samba-technical
mailing list