Need to map SIDs for unknown users
abartlet at samba.org
Sun Jul 13 03:00:50 GMT 2003
On Sat, Jul 12, 2003 at 09:09:18PM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Sat, 12 Jul 2003, Andrew Bartlett wrote:
> > Just a quick note about out current SID->UID scheme since this week's
> > changes:
> > As I read it, we will only allocate a SID for a user that exists in
> > winbind - ie, a user in a trusted domian, with a currectly active DC.
> > This presents a major issue for NAS devices, which often have to deal
> > with down DCs, but also with 'foreign sids' - sids from a user's
> > workstation and the like, that we can never see via winbind.
> > The previous 3.0 code allowed this to work, usually guessing that a gid
> > was most appropriate. While not the best solution, as long as we never
> > actually see that user at login, it's fine.
> > Fixing this should just be a matter of fixing the code in smbd/uid.c,
> > rather than a major redesign.
> This design actually introduces a security hole (DoS). Using
> your solution, if I have access to a file that I can set an ACL
> on, I can continually send unknowns SIDs in the ACL and eventually
> exhaust the entire free gid space.
> Unless we know a SID is valid, I don't believe we should allocate
> any uid or gid for it. I realize the problems this causes with domain
> controllers down. If this is a real problem for a NAS box, the
> appliance should store the SID someewhere and resolve it at the last
> possible moment. But if you store SIDs on the filesystem, the you
> don't need to resolve it to a uid or gid at all.
In an ideal world yes - but for now this is how we have to work - for
any POSIX based system.
My problem can be resolved with yet another vendor-specific patch, but the
issue will bite others.
More information about the samba-technical