A RID allocator and its consequences
abartlet at samba.org
Fri Sep 27 05:55:01 GMT 2002
Volker.Lendecke at SerNet.DE wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> This is a surprisingly little (compiled, but not tested) patch that
> mainly should do the following:
> Implement a rid allocator in secrets.tdb. This might not be the right
> place to do it, but as we are one-domain with passdb, RID allocation
> is a global thing.
> Second, in get_group_from_gid it initializes a new group mapping as an
> alias on the fly. So if the gid exists it should basically not fail
> Third, as a consequence of get_group_from_gid, most of the calls to
> pdb_gid_to_group_rid are gone. There's two left in passdb.c which I
> don't really understand. Maybe it's too late now. The remaining one is
> in pdb_nisplus which I will not touch for now.
> This is only an interim step I think, the next step would be to remove
> the group_sid from SAM_ACCOUNT completely, as we can now always get a
> SID for a gid.
OK, the really nasty bit about this is the implict mapping of existing
unix accounts to rids. I went to a lot of effor to try and get rid of
it - but the best I could do was hide it under a pile of interfaces and
pretend it wasn't there ;-)
If you use smbpasswd, naturally, you get 'algorithmic' rids. Fine, you
probably won't be using smbpasswd for this game anyway. The problem is
that any unix user must also have a RID. This is becouse at any time, a
user might try and get the security descriptor of a file.
The next problem is that we don't like reusing RIDs - so if that rid was
ever available 'implicitly' then we should not use it. Also, a user
'upgraded' from /etc/passwd should keep the same RID. This is the
reasoning for the crazy stuff in unixsam. (I'm still undecided if it's
very neat or an ugly hack...).
However, there is an 'out'. If you never specify 'unixsam', and always
import users, setting a rid when you add them (currently smbpasswd uses
the algorithm or their unixsam upgrade), then this will work. But if
sombody asks for a security descriptor on a file, and we don't know the
mapping for that owner, then it will fail. BTW, using 'hide unreadable'
counts as asking for the mapping, as I found out recently...
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical