A RID allocator and its consequences

Volker.Lendecke at SerNet.DE Volker.Lendecke at SerNet.DE
Fri Sep 27 06:59:00 GMT 2002

Hash: SHA1

> OK, the really nasty bit about this is the implict mapping of existing
> unix accounts to rids.  I went to a lot of effor to try and get rid of
> it - but the best I could do was hide it under a pile of interfaces and
> pretend it wasn't there ;-)
> If you use smbpasswd, naturally, you get 'algorithmic' rids.  Fine, you
> probably won't be using smbpasswd for this game anyway.  The problem is
> that any unix user must also have a RID.  This is becouse at any time, a
> user might try and get the security descriptor of a file.

First of all: My patch is absolutely experimental stuff, not yet meant

The right way would have been to remove the group rid from
SAM_ACCOUNT. But this would have changed the interface which I did not
want to touch in the first rounnd.

smbpasswd is the one where we get algorithmic mapping. I would like to
see the algorithms in pdb_smbpasswd if that is possible. Or share it
with nisplus (I still have to look at that one.). This however means
that pdb_smbpasswd needs some knowlege of groups to be able to at
least hand out a group rid upon demand. Hmm. Where does that lead? ;-)

> The next problem is that we don't like reusing RIDs - so if that rid was
> ever available 'implicitly' then we should not use it.  Also, a user
> 'upgraded' from /etc/passwd should keep the same RID.  This is the
> reasoning for the crazy stuff in unixsam.  (I'm still undecided if it's
> very neat or an ugly hack...).  

What crazy stuff do you mean? unixsam_update_sam_account?

> However, there is an 'out'.  If you never specify 'unixsam', and always
> import users, setting a rid when you add them (currently smbpasswd uses
> the algorithm or their unixsam upgrade), then this will work.  But if
> sombody asks for a security descriptor on a file, and we don't know the
> mapping for that owner, then it will fail.  BTW, using 'hide unreadable'
> counts as asking for the mapping, as I found out recently...

For non-smbpasswd backends can't we take the same route as with
get_group_from_gid: Create pdb entries on the fly?


Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID ADE377D8, Fingerprint available: phone +49 551 3700000


More information about the samba-technical mailing list