[PATCH] store SID's in SAM_ACCOUNT

abartlet at samba.org abartlet at samba.org
Tue May 28 05:29:02 GMT 2002 

On Tue, May 28, 2002 at 02:07:52PM +0200, Simo Sorce wrote:
> Hi Stefan.
> 
> As you may have seen I have already changed the pdb_interface to search
> by SID and I'm really i favour to use SIDs inside SAM_ACCOUNT instead of
> RIDS, but I think this patch does not address the problem the right way.
> 
> What we should do is store the SID in the backends, not convert it at
> run time.

Given time, yes.  But (for example) we really cannot change the LDAP schema
at this stage (we must certainly still support the current schema) and other
backends might chose to store the RID/SID in a way that best suits their
technology.

> I think we may use part of your code inside pdbedit to have a tool to
> upgrade from previous backends that store by RID into the new ones.

I don't see the need for a forced 'upgrade'.  New backends can use this - but
with the majoir passdb backends (ldap, smbpasswd) still being RID based into
the future, we are going to still need this.

> I'm working on tdbsam2 that will store by SID and have also some other
> interesting things (privileges and such) I have discussed with JFM the
> last samba experience conference.

BTW, pdbedit already handles 'upgrades', just import from one format and 
export to the other.  This code will ensure that it all 'just works'

> What others do think?

I think this patch is fine.  We have to start somewhere - and while you 
might *like* to rework the while passdb in one hit, I don't see any reason
why an incremental patch cannot be applied in the meantime.

On the patch itself, my only comment is that when implementing the
compatibilty functions, make them call the 'real' funcitons (see 
pdb_set_plaintext_password()) rather than modifiying the struct directly.

Also I see you still have pdb_set_user_rid(), which just calls the fallback.
If this is really a complete patch, then these functions can go, and other
coders will notice it - and hopfully see what the new interface is.

Either that, or don't rename the fn at all.

Finally, re the SID initialisation:  Make a new function that returns the 
global sam sid.  Make it 'auto-initailise', if its not been run before, then
it should figure it out, and store it in a static.

Andrew Bartlett

More information about the samba-technical mailing list