[Patch] Add an idmap implementation to winbind
Kai Blin
kai at samba.org
Thu Feb 14 17:12:05 GMT 2008
On Thursday 14 February 2008 17:12:23 simo wrote:
> Reading the first patch I see you re-introduced idmap uid and idmap gid
> ranges in smb.conf, please don't do that, as this is a new
> implementation anyway, please keep the ranges in the database itself.
> Also I'd suggest to only use one range for both uid and gid, the added
> flexibility is not worth the confusion imo.
Sure, can do.
> Also I would not introduce the idmap database, why can't we put this
> stuff into sam.ldb?
Creating a new db was easier for the first try to do this.
> Eventually as a separate partition?
Sure, if someone tells me how to do this. Finding my way around ldb has been
really cumbersome so far.
>
> Reading the fourth patch it appears like you are using your functions in
> a set of composite functions, this means that you are introducing
> blocking synchronous calls (gendb_search) in an a supposedly async set
> of calls, not good.
My first go at getting id mapping into winbind was using sidmap, which uses
the same calls. Also, in the beginning I was trying to stay close to the API
Samba3 idmap provided. Fair enough, I'll change it once somebody points me at
the calls to use instead.
> Reading the fifth patch I see no call to validate a SID before consuming
> a uid/gid to make a mapping. This means someone can simply query for N
> non existing SIDs and deplete the given range (DoS).
Validate as in how? Last time I discussed this with Metze he told me I should
map SIDs even if they're not from a trusted domain.
> Also the high watermark is simply replaced, not deleted and added, this
> means in theory 2 concurrent process can allocate the samba uid/gid to 2
> different SIDs and never notice, as the high watermark update is not
> atomic. Transactions are not used either so there is no way to detect it
> later and rollback.
Again, just tell me what calls I should use.
Cheers,
Kai
--
Kai Blin
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba-technical/attachments/20080214/0cf2d9a1/attachment.bin
More information about the samba-technical
mailing list