winbindd uid and gid range assumptions
Mike Gerdts
Michael.Gerdts at alcatel.com
Mon May 13 11:30:43 GMT 2002
It seems as though there was an assumption that users of winbindd would
have switched entirely to NT domain authentication or that they would
have distinct range of UIDs/GIDs for /etc/passwd (or NIS) and NT domain.
The most obvious sign of this is the peppering of statements like the
following throughout various files:
/* Bug out if the gid isn't in the winbind range */
if ((state->request.data.gid < server_state.gid_low) ||
(state->request.data.gid > server_state.gid_high)) {
return WINBINDD_ERROR;
}
Also, smbd/uid.c does a similar check before calling
winbind_[ug]id_to_sid():
if (lp_winbind_uid(&low, &high) && uid >= low && uid <= high) {
if (winbind_uid_to_sid(psid, uid)) {
DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
(unsigned int)uid, sid_to_string(sid, psid)));
return psid;
}
}
Is there any good reason to not just let get_id_from_sid() in
nsswitch/winbindd_idmap.c do all the checking? It seems as though the
optimization achieved by the multitude of checks is minimal and greatly
reduces the chances integration possibilities between winbindd and
traditional unix authentication.
Mike
More information about the samba-technical
mailing list