--=-/nq51AbHivuxM3KZNLWR
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2004-09-16 at 11:44, Yimin Chen wrote:
> Hi Andrew,
>=20
> Thanks for your clarifications! I think I now understand it much better.
>=20
> So if the ntlm_auth tool is enhanced to return the group information, wou=

ld=20
> it be just a list of SIDs or it could be the actual group names? If it wi=

ll=20
> be SIDs, do we need to query the domain controllers for the groupnames, o=

r=20
> Samba has other API we can use to do the conversion?


My suggestion is that we would return SIDs only, and that you would
convert the names that you store for ACLs into SIDs, for comparison. =20
(The reason we would only return the SIDs is to avoid the extra network
cost.)

Yet another mode to ntlm_auth could be added to support this name->sid
lookup, to avoid using wbinfo or needing to link against the socket
libs.

Andrew Bartlett
--=20
Andrew Bartlett abartlet@samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net

--=-/nq51AbHivuxM3KZNLWR
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBSPLRw6AkmCjZ77cRAjT7AJ9oGK9gMnKDT+NzOnqaT9 mUbwUgPwCfXgs4
Pw/Mz8T8pq3Ya5EOgkve6ps=
=ErrO
-----END PGP SIGNATURE-----

--=-/nq51AbHivuxM3KZNLWR--