Need to map SIDs for unknown users

Gerald (Jerry) Carter jerry at
Sun Jul 13 02:09:18 GMT 2003

Hash: SHA1

On Sat, 12 Jul 2003, Andrew Bartlett wrote:

> Just a quick note about out current SID->UID scheme since this week's
> changes:
> As I read it, we will only allocate a SID for a user that exists in
> winbind - ie, a user in a trusted domian, with a currectly active DC.
> This presents a major issue for NAS devices, which often have to deal 
> with down DCs, but also with 'foreign sids' - sids from a user's 
> workstation and the like, that we can never see via winbind.  
> The previous 3.0 code allowed this to work, usually guessing that a gid
> was most appropriate.  While not the best solution, as long as we never
> actually see that user at login, it's fine.
> Fixing this should just be a matter of fixing the code in smbd/uid.c,
> rather than a major redesign.

This design actually introduces a security hole (DoS).  Using 
your solution, if I have access to a file that I can set an ACL
on, I can continually send unknowns SIDs in the ACL and eventually 
exhaust the entire free gid space.

Unless we know a SID is valid, I don't believe we should allocate 
any uid or gid for it.  I realize the problems this causes with domain
controllers down.  If this is a real problem for a NAS box, the 
appliance should store the SID someewhere and resolve it at the last 
possible moment.  But if you store SIDs on the filesystem, the you 
don't need to resolve it to a uid or gid at all.

I'm sure Jeremy will have some more relavant comments on the ACL 

cheers, jerry
 Hewlett-Packard            -------------------------
 SAMBA Team                 ----------------------
 GnuPG Key                  ----
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list