refactoring idmap code in smbd

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 10 14:07:33 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 9 Jul 2003, Steve Langasek wrote:

> So assuming that Samba is configured to disallow creation of accounts
> within winbind (in the case of an LDAP-using site that needs consistent
> ids, for example), does this mean that there will not be an actual idmap
> stored anywhere -- that Samba will simply run the create user script,
> which allocates an available uid, and assigns a DOM\user name to that
> uid?  This is attractive, but dangerous; not only would it depend on
> being able to resolve an SID to a name before mapping to a uid[1], there's

you have to have a uid before you can get a SID.  See samr_create_user()

> also the issue of username reuse in a foreign domain

samr_create_user() if for your get_global_sam_name() so there 
is no conflict here.  On a real domain member or DC, winbindd_acct.c 
is only used for local users.  I think there's one small bug I need 
to track down today, but that is how it should work.

> -- NT is careful to never reuse an SID after the user it belongs to is
> deleted, but a name-based map would let a user inherit any Unix
> filesystem access belonging to the predecessor.

If you delete a user from /etc/passwd and readd a new user 
with the same UID, whose fault is that?  Samba is not Windows 
so we have certain constraints to work within.  Suppose we create
a new user with a unique sid but the same username as a user in 
/etc/passwd.   Whose fault is that?  My conjecture is that it is 
the admins.  

But lest you be worried about.  an rpc call to delete a user 
will also be able to delete the user from winbindd's account tdb.  
I just have to code up the winbindd_delete_user() and 
winbindd_delete_group() calls today.






cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/DXMmIR7qMdg1EfYRArmKAJ9I+b7FYr2sppwyLBKn5ydHjB4PDACgj33Z
uXUaedz5Syma1XRJclPsNxs=
=xjN7
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list