CVS update: samba/source/smbd

Andrew Bartlett abartlet at pcug.org.au
Sun Nov 4 10:07:53 EST 2001 

Jeremy Allison wrote:
> 
> On Sat, Nov 03, 2001 at 10:01:17PM +1100, Andrew Bartlett wrote:
> 
> > I certainly liked that patch.  There doesn't seem much point in the
> > double-lookup.
> 
> We have to have the double lookup. If we can map a SID to a gid_t
> then we need to do so in order to get real filesystem access if
> permitted by the gid_t. We're only arguing about whether we need
> to keep the SID around also in the non lookup case.

I suppose what I was meaning was the 'lossy' double-lookup, but yes I
agree.  The problem only requires one lookup however - the SID->GID
lookup, becouse you can use that to work out what unix groups you don't
already know about, and only then do a lookup.

> > It the NT_USER_TOKEN format fixed in stone?
> >
> > Is there any reason we can't attach the gids (if known) to the same
> > structure?  Somthing like the way I now have optional uid_t and gid_t
> > values in passdb?
> 
> The NT_USER_TOKEN is designed for NT SIDs only. It gets included
> in other structures that contain uid_t and gid_t's. They don't
> belong in the pure NT info (IMHO). So I don't really want to
> change it.

One of the things I have been working to fix in samba is what I call
'loss of information'.  This occured often within the authentication
subsytem before I attacked it, resulting in approximations and excess
getpwnam() lookups.

We seem to be loosing information here - that is the connection between
a given sid and its unix uid_t/gid_t (optional) represenation.

There is a tantilising possiblity here:

If we keep the mapping between the NT SID and the unix uid, we can also
go the other way.  This means that we can always map the ACL permissions
on a file back to the DOMAIN sid that the current user arrived with,
solving the 'security=domain but not winbind' profile bug.

So while I understand not wanting to burden NT_USER_TOKEN with unix
info, why not NT_UNIX_USER_TOKEN and a function that produces the
NT_USER_TOKEN subset when required?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-cvs mailing list