Hi,
I'm trying to figure out how the various components in a linux machine
interact when a samba server serves clients in an active directory. Is there a
technical explanation somewhere? The picture I have so far is:
- During initialization, smbd reads the access lists for each share. The lists
are defined in terms of "DOMAIN\user" or "+DOMAIN\group".
smbd uses glibc calls (getpwent() and friends) to convert these to UID/GID. The
glibc routines use the nsswitch, which, in turn, uses winbindd. Winbindd can use
its local tdb engine or use ldap to retrieve this info from a remote server.
- the client connects to smbd and authenticates with the Kerberos gssapi
libraries. If successful, the output of this process is a string
"DOMAIN\user", identifying the user.
- smbd now has to enumerate the groups the user is a member of, to see if any of
them matches the access list for the share, and also in general, to assume the
identity of the client. It uses "getpwent and friends", which, again,
use winbindd. Winbindd has to call ldap in order to get the list of groups
(strings of the form "DOMAIN\group"). It uses Kerberos to authenticate
to the ldap server. It also has to convert them to GID's - which it may do
either by means of the local tdb file or by consulting the ldap server.
Is this remotely correct? how are the SIDs come into play versus the principal
names?
Thanks,
Uri.
_________________________________________________________________
More than messages?check out the rest of the Windows Live?.
http://www.microsoft.com/windows/windowslive/
