Need to map SIDs for unknown users

[Andrew Bartlett]

On Sat, Jul 12, 2003 at 09:09:18PM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sat, 12 Jul 2003, Andrew Bartlett wrote:
> 
> > Just a quick note about out current SID->UID scheme since this week's
> > changes:
> > 
> > As I read it, we will only allocate a SID for a user that exists in
> > winbind - ie, a user in a trusted domian, with a currectly active DC.
> > 
> > This presents a major issue for NAS devices, which often have to deal 
> > with down DCs, but also with 'foreign sids' - sids from a user's 
> > workstation and the like, that we can never see via winbind.  
> > 
> > The previous 3.0 code allowed this to work, usually guessing that a gid
> > was most appropriate.  While not the best solution, as long as we never
> > actually see that user at login, it's fine.
> > 
> > Fixing this should just be a matter of fixing the code in smbd/uid.c,
> > rather than a major redesign.
> 
> This design actually introduces a security hole (DoS).  Using 
> your solution, if I have access to a file that I can set an ACL
> on, I can continually send unknowns SIDs in the ACL and eventually 
> exhaust the entire free gid space.
> 
> Unless we know a SID is valid, I don't believe we should allocate 
> any uid or gid for it.  I realize the problems this causes with domain
> controllers down.  If this is a real problem for a NAS box, the 
> appliance should store the SID someewhere and resolve it at the last 
> possible moment.  But if you store SIDs on the filesystem, the you 
> don't need to resolve it to a uid or gid at all.

In an ideal world yes - but for now this is how we have to work - for 
any POSIX based system.

My problem can be resolved with yet another vendor-specific patch, but the
issue will bite others.

Andrew Bartlett