On Thu, 2003-03-13 at 01:32, Andrew Bartlett wrote: > On Thu, 2003-03-13 at 10:38, Michael Fair wrote: > > I haven't done much work in this are yet so please feel > > free to correct me as you see fit, but as I understand it, > > part of the problem we face is that the equivalents of > > the UID and a GID in UNIX, are mapped to the same address > > space in Windows. > > > > I was working on some unrelated ACL stuff and thought > > about the potential of practically eliminating the use > > of an ACL on a UID and only using ACLs on groups. > > I think this is a very good idea. We would effectivly create a 'user > private group' for every winbindd user. And if they turned out to be a > group, then we just populate them with members!
This is an approach I have proposed back last summer to Jeremy and Tridge at Jeremy's, and that would have also cured the "problem" that all distribution that automatically create a private group for a user have, but seem they was not convinced so I didn't pushed the idea anymore :-) > This helps us particularly with the problem that we don't know the type > of a SID without a lookup - a lookup that may well fail. Exactly! > This would also solve a nasty problem we have that we don't know the > 'real' primary group of every user for NT4 domains, when doing a > getgrent(). Instead we assume 'domain users'. This would allow us to > always know that value. No, that's not right, we must have a Primary Group in local passdb and use Domain Users as a fallback. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399
signature.asc
Description: This is a digitally signed message part