Fwd: Re: [plug] mounting home directories

Craig Ringer craig at postnewspapers.com.au
Wed Aug 11 15:01:06 WST 2004


James Devenish wrote:

> Note that the files are *not* intrinsically owned by 'marc-w'. Rather,
> they are owned by 508. The name 'marc-w' is just a facade (sorry!)
> because names are nicer to work with. Thus, both your server and your
> laptop need to agree that 508 is 'marc-w' and that 'marc-w' is 508 (i.e.
> they have to agree on those TWO facts), OR you need to allow them to
> disagree by having Samba map between 508 and 500. This is what UNIX
> administrators expect. I'm not quite sure of the relationship between
> this and Windows. Either Windows is doing some mapping on your behalf
> (which would be worrisome to most UNIX admins), or perhaps it isn't
> really working.

My understanding is that Windows is quite a bit smarter about this. 
It'll require you to authenticate as the user /at some point/. Always. 
This is often done as part of a domain login - your user identify is 
validated by the domain controller when you log in to your workstation. 
If you're a wandering user who hasn't joined the domain, you'll be 
required to authenticate by the server before being given access to 
resources - hence showing that you at least hold the credentials the 
legitimate user must hold.

If you're familiar with kerberos, then you'll already have a general 
grasp of how it works. In fact, with win2k is _is_ based on Kerberos, 
and with Win2k3 is can actually comply with the Kerberos standard they 
mangled for Win2k.

Windows domains also have a shared, global group of user identities. 
Each identity has a GUID (Globally Unique IDentifier) in the domain, so 
there are no problems with conflicts. Anyway, as the domain is part of 
the user identity - DOMAIN1\trina is a different user to DOMAIN2\trina - 
that's not all that big a deal. This is a bit like having UNIX systems 
that identify users as username at DOMAIN (where DOMAIN is the kerberos 
domain).

So overall, the Windows way is much, much, much less scary than the NFS 
"Well, the user ID's match. Hope it's not co-incidence; let'em in." NFS 
made sense when computers were immense and expensive and the sysadmin 
was a scary, scary person. These days it's totally stupid.

I look forward to NFSv4 with Kerberos. I'll be playing with it here when 
I get time, and I'll let you folks know how I go.

--
Craig Ringer




More information about the plug mailing list