I haven't done much work in this are yet so please feel free to correct me as you see fit, but as I understand it, part of the problem we face is that the equivalents of the UID and a GID in UNIX, are mapped to the same address space in Windows.
I was working on some unrelated ACL stuff and thought about the potential of practically eliminating the use of an ACL on a UID and only using ACLs on groups. Most Linux implementations these days put the UNIX user in a group of the same name by default. If the GID for the user unique group was made to match the ID from windows then every UNIX user could be mapped into the WINDOWS namespace via its GID. Further, every windows user and group could be mapped into the UNIX space by simply by adding a GID for it. UNIX users that mapped to Windows users could be identified by adding the UID to the Windows based GID for that user. Now whenever the administrator wanted to provide some sort of ACL for the user, they'd do it via the group identifier. If the groups were published in LDAP, then winbind wouldn't need to do any additional mapping since it could just take the Windows Identifier and use it directly as a GID. I might be smoking something and missing some large gaps, but it seems that approaching the single namespace of Windows, with a single namespace from UNIX (namely the groups interface) and then using the UNIX uid to map the UNIX users to the Windows space elegantly addresses some of the complications between the two systems. Thoughts? -- Michael --
