samba-technical@lists.samba.org
[Top] [All Lists]

Re: unpack_nt_owners fails with owner S-1-5-32-544

Subject: Re: unpack_nt_owners fails with owner S-1-5-32-544
From: simo
Date: Thu, 26 Oct 2006 08:21:25 -0400
On Thu, 2006-10-26 at 16:06 +1000, tridge@xxxxxxxxx wrote:
> Volker,
> 
>  > BTW, nasty as it is, this _is_ relevant. I've come across
>  > this at quite a number of sites already.
> 
> yes, I can see it matters. 
> 
> What do you think of the strategy of mapping both the old SID of the
> user and the new SID of the user to the same unix uid? That's
> presuming of course that we can detect this (I can think of some ways
> we might tackle that aspect of it).
> 
> The advantage of mapping both the old SID and the new SID to the same
> uid is that ACLs keep working really well, as does file ownership. The
> disadvantage would seem to be that we would break with the idea of
> a one-to-one mapping of uid to SID. I can't see why keeping it
> one-to-one is vital.

Not vital, but we will probably have to add the concept of secondary
SID, so that uid->SID always return the new one.

> As far as detecting it goes, what we'd really need to detect is the
> domain conversion itself. Then doing the actual mapping shouldn't be
> too hard, as it would be a pretty good bet that the usernames are kept
> the same (not guaranteed I know, but should be pretty good).

No, you can't count on this, the samba server can be installed years
after the original domain is shut down.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@xxxxxxxxx
http://samba.org

<Prev in Thread] Current Thread [Next in Thread>