CVS update: samba/source/smbd
Andrew Bartlett
abartlet at pcug.org.au
Sun Nov 4 10:07:53 EST 2001
Jeremy Allison wrote:
>
> On Sat, Nov 03, 2001 at 10:01:17PM +1100, Andrew Bartlett wrote:
>
> > I certainly liked that patch. There doesn't seem much point in the
> > double-lookup.
>
> We have to have the double lookup. If we can map a SID to a gid_t
> then we need to do so in order to get real filesystem access if
> permitted by the gid_t. We're only arguing about whether we need
> to keep the SID around also in the non lookup case.
I suppose what I was meaning was the 'lossy' double-lookup, but yes I
agree. The problem only requires one lookup however - the SID->GID
lookup, becouse you can use that to work out what unix groups you don't
already know about, and only then do a lookup.
> > It the NT_USER_TOKEN format fixed in stone?
> >
> > Is there any reason we can't attach the gids (if known) to the same
> > structure? Somthing like the way I now have optional uid_t and gid_t
> > values in passdb?
>
> The NT_USER_TOKEN is designed for NT SIDs only. It gets included
> in other structures that contain uid_t and gid_t's. They don't
> belong in the pure NT info (IMHO). So I don't really want to
> change it.
One of the things I have been working to fix in samba is what I call
'loss of information'. This occured often within the authentication
subsytem before I attacked it, resulting in approximations and excess
getpwnam() lookups.
We seem to be loosing information here - that is the connection between
a given sid and its unix uid_t/gid_t (optional) represenation.
There is a tantilising possiblity here:
If we keep the mapping between the NT SID and the unix uid, we can also
go the other way. This means that we can always map the ACL permissions
on a file back to the DOMAIN sid that the current user arrived with,
solving the 'security=domain but not winbind' profile bug.
So while I understand not wanting to burden NT_USER_TOKEN with unix
info, why not NT_UNIX_USER_TOKEN and a function that produces the
NT_USER_TOKEN subset when required?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-cvs
mailing list