A RID allocator and its consequences
Volker.Lendecke at SerNet.DE
Volker.Lendecke at SerNet.DE
Fri Sep 27 06:59:00 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> OK, the really nasty bit about this is the implict mapping of existing
> unix accounts to rids. I went to a lot of effor to try and get rid of
> it - but the best I could do was hide it under a pile of interfaces and
> pretend it wasn't there ;-)
>
> If you use smbpasswd, naturally, you get 'algorithmic' rids. Fine, you
> probably won't be using smbpasswd for this game anyway. The problem is
> that any unix user must also have a RID. This is becouse at any time, a
> user might try and get the security descriptor of a file.
First of all: My patch is absolutely experimental stuff, not yet meant
seriously.
The right way would have been to remove the group rid from
SAM_ACCOUNT. But this would have changed the interface which I did not
want to touch in the first rounnd.
smbpasswd is the one where we get algorithmic mapping. I would like to
see the algorithms in pdb_smbpasswd if that is possible. Or share it
with nisplus (I still have to look at that one.). This however means
that pdb_smbpasswd needs some knowlege of groups to be able to at
least hand out a group rid upon demand. Hmm. Where does that lead? ;-)
> The next problem is that we don't like reusing RIDs - so if that rid was
> ever available 'implicitly' then we should not use it. Also, a user
> 'upgraded' from /etc/passwd should keep the same RID. This is the
> reasoning for the crazy stuff in unixsam. (I'm still undecided if it's
> very neat or an ugly hack...).
What crazy stuff do you mean? unixsam_update_sam_account?
> However, there is an 'out'. If you never specify 'unixsam', and always
> import users, setting a rid when you add them (currently smbpasswd uses
> the algorithm or their unixsam upgrade), then this will work. But if
> sombody asks for a security descriptor on a file, and we don't know the
> mapping for that owner, then it will fail. BTW, using 'hide unreadable'
> counts as asking for the mapping, as I found out recently...
For non-smbpasswd backends can't we take the same route as with
get_group_from_gid: Create pdb entries on the fly?
Volker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID ADE377D8, Fingerprint available: phone +49 551 3700000
iD8DBQE9lAGlZeeQha3jd9gRAk3lAJ0X56cAzLG4XQrgSjmsYelw73TavQCbBM2/
0tt7lf490iSA6ZQN3MU1vXo=
=9VQF
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list