Fixed: Re: 3.0a21: add a new group using ACL results in a new user
in winbindd idmap
Chere Zhou
qzhou at isilon.com
Thu Mar 13 00:02:49 GMT 2003
Although nobody replied to me, I still think this applies to HEAD and is a
general problem.
The reason behind this problem, is that when you add a new group or user not
known to winbindd_idmap.tdb through ACL, the code in posix_acl.c does the
following (line 1006):
} else if (sid_to_uid( ¤t_ace->trustee,
¤t_ace->unix_ug.uid, &sid_type)) {
current_ace->owner_type = UID_ACE;
current_ace->type = SMB_ACL_USER;
} else if (sid_to_gid( ¤t_ace->trustee,
¤t_ace->unix_ug.gid, &sid_type)) {
current_ace->owner_type = GID_ACE;
current_ace->type = SMB_ACL_GROUP;
} else {
which means, it tries to map the sid to a uid first, if fails, then try gid.
However, since the following code in sid_to_uid() is commented out:
/* (tridge) I commented out the slab of code below in order to support
foreign SIDs
Do we really need to validate the type of SID we have in this case?
*/
#if 0
fstring dom_name, name;
enum SID_NAME_USE name_type;
*sidtype = SID_NAME_UNKNOWN;
/*
* First we must look up the name and decide if this is a user sid.
*/
if ( (!winbind_lookup_sid(psid, dom_name, name, &name_type)) ||
(name_type != SID_NAME_USER) ) {
BOOL result;
DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed -
trying local.\n",
sid_to_string(sid_str, psid) ));
become_root();
result = local_sid_to_uid(puid, psid, sidtype);
unbecome_root();
return result;
}
/*
* Ensure this is a user sid.
*/
if (name_type != SID_NAME_USER) {
DEBUG(10,("sid_to_uid: winbind lookup succeeded but SID is
not a uid (%u)\n",
(unsigned int)name_type ));
return False;
}
#endif
A new SID will always successfully map to uid.
The fix would be, either uncomment the above code in sid_to_uid(), or in
posix_acl.c, because calling sid_to_uid(), call lookup_sid() first to find
out the name type (user or group).
Is there any other options?
Chere
On Wednesday 05 March 2003 06:57 pm, Chere Zhou wrote:
> I am in an ADS domain. From a Windows client, create a file, add a group
> to the file using ACLs (new means the group is not in winbindd database
> yet), the group is mapped as a user in the winbindd_idmap.tdb. The group
> is not any special type, just a normal group (not local, not universal).
>
> Anyone knows about this problem?
>
> Thanks,
> Chere
More information about the samba-technical
mailing list