more to come

Tue May 5 18:22:23 GMT 1998

Luke Kenneth Casson Leighton wrote:

> then there either:
> 
> - should be (rids in the smbpasswd file)

Nope - smbpasswd contains users by name and by UNIX uid.
No RIDs.

> - rids should be automatically generated (and made to be unique, even when
> / if two users are stored with the same unix UID).
> 

Nope - that's up to the UNIX admin. If the underlying uid
is the same, then the RID must be too. I know that's not
the way NT does it, but it's the way UNIX does it - and
we need a simple mapping function between uid/gid and RID.

If setting it this way causes NT to self-destruct and
crash then tell the UNIX admin not to set up their
smbpassword file that way.

> i know you're putting in a mechanism to give trust accounts a unique uid,
> counting down from 65534, but if someone uses "map username" to map
> multiple trust accounts (manually) to the same unix uid (e.g the guest
> account) then we are in trouble.
> 
> 
> no "mixing" is intended.  in what way do you conclude that uids/gids and
> RIDs are being mixed?

Because you are intending a smbpasswd lookup function that
would take rids - it's an implicit mix !

> 
> we _have_ to have RIDs: you can't implement LsaLookupRids, LsaLookupNames
> and SamrQueryDisplayInfo without them.
> 
> these all assume that RIDs are unique, and more importantly _not_ unix
> uids.
> 

I *KNOW* this - that's why we have a mapping function to generate
RIDs from gids and uids. But I'm not going to jump through
hoops to stop identical RIDs - if the UNIX admin sets it up
that way it's because it's what the admin wants.

> 
> using this method you lose the one-to-one mapping, as for example when you
> receive a SamrQueryDispInfo call, you enumerate through all RIDs and do:
> 
> for (rid = get_first_rid(); usr; usr = get_next_rid())
> {
>         uid_t unix_uid = rid_to_uid(rid);
>         SAM_USER_INFO_21 *usr = get_smbpwd_by_unix_uid(unix_uid);
>         add_entry_to_query_disp_info_response(usr);
> }
> 

How can you enumerate through RIDs. RIDs are transient, they
have no existance on the Samba PDC other than being generated
to put in the packet. There are no such functions 'get_first_rid(),
get_next_rid()' - only getpwent() and getgrent(). There never
*should* be such functions get_first_rid(), get_next_rid().

Stop trying to turn UNIX into NT. NT doesn't work very well
and has lots of security problems. I don't want to emulate
that :-).

> 
> yes, it's tough, and we have to deal with it.
> 

No -the *Administrator* has to deal with it. That's
why they get paid the big bucks for administering
UNIX machines :-).

> ok.  let me attempt to clarify.  the API should work by RID.  the
> underlying implementation of smbpass should be by unix uid.  is that
> acceptable?  (because it's what i'm trying to tell you what i would like
> to work towards!)
> 

No - the API should be by uid/gid - because that's what
exists on the UNIX box. When we get a RID from an NT
box we should turn it into a uid/gid *immediately*, 
and change a uid/gid back to a RID as the last thing
before putting it back onto the wire.

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------