winbindd uid and gid range assumptions

Mike Gerdts Michael.Gerdts at
Mon May 13 11:30:43 GMT 2002

It seems as though there was an assumption that users of winbindd would
have switched entirely to NT domain authentication or that they would
have distinct range of UIDs/GIDs for /etc/passwd (or NIS) and NT domain.

The most obvious sign of this is the peppering of statements like the
following throughout various files:

	/* Bug out if the gid isn't in the winbind range */

	if ((state-> < server_state.gid_low) ||
	    (state-> > server_state.gid_high)) {
       		return WINBINDD_ERROR;

Also, smbd/uid.c does a similar check before calling

        if (lp_winbind_uid(&low, &high) && uid >= low && uid <= high) {
                if (winbind_uid_to_sid(psid, uid)) {

                        DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
                                (unsigned int)uid, sid_to_string(sid, psid)));

                        return psid;

Is there any good reason to not just let get_id_from_sid() in
nsswitch/winbindd_idmap.c do all the checking?  It seems as though the
optimization achieved by the multitude of checks is minimal and greatly
reduces the chances integration possibilities between winbindd and
traditional unix authentication.


More information about the samba-technical mailing list