From 36c266d467e9105041b33e9b1cdcd9ff073d893e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 7 Nov 2013 11:09:35 +0100 Subject: nss: check for Well-Known SIDs in SID based requests --- src/man/include/ldap_id_mapping.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'src/man') diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml index 71ff248f1..9dda39924 100644 --- a/src/man/include/ldap_id_mapping.xml +++ b/src/man/include/ldap_id_mapping.xml @@ -189,4 +189,39 @@ ldap_schema = ad + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs + with a special hardcoded meaning. Since the generic users and groups + related to those Well-Known SIDs have no equivalent in a Linux/UNIX + environment no POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as + different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when + returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control + information with the help of a name instead of using the SID + directly SSSD supports to look up the SID by the name as well. To + avoid collisions only the fully qualified names are excepted to look + up Well-Known SIDs. As a result the domain names NULL + AUTHORITY, WORLD AUTHORITY, LOCAL + AUTHORITY, CREATOR AUTHORITY, NT + AUTHORITY and BUILTIN should not be used as + domain names in sssd.conf. + + + -- cgit