Fixed: Re: 3.0a21: add a new group using ACL results in a new user in winbindd idmap

Chere Zhou qzhou at isilon.com
Thu Mar 13 00:02:49 GMT 2003


Although nobody replied to me, I still think this applies to HEAD and is a 
general problem.  

The reason behind this problem, is that when you add a new group or user not 
known to winbindd_idmap.tdb through ACL, the code in posix_acl.c does the 
following (line 1006):
                } else if (sid_to_uid( &current_ace->trustee, 
&current_ace->unix_ug.uid, &sid_type)) {
                        current_ace->owner_type = UID_ACE;
                        current_ace->type = SMB_ACL_USER;
                } else if (sid_to_gid( &current_ace->trustee, 
&current_ace->unix_ug.gid, &sid_type)) {
                        current_ace->owner_type = GID_ACE;
                        current_ace->type = SMB_ACL_GROUP;
                } else {

which means, it tries to map the sid to a uid first, if fails, then try gid.  
However, since the following code in sid_to_uid() is commented out:
/* (tridge) I commented out the slab of code below in order to support 
foreign SIDs
   Do we really need to validate the type of SID we have in this case?
*/
#if 0
        fstring dom_name, name;
        enum SID_NAME_USE name_type;

        *sidtype = SID_NAME_UNKNOWN;
        /*
         * First we must look up the name and decide if this is a user sid.
         */

        if ( (!winbind_lookup_sid(psid, dom_name, name, &name_type)) || 
(name_type != SID_NAME_USER) ) {
                BOOL result;
                DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed - 
trying local.\n",
                                sid_to_string(sid_str, psid) ));

                become_root();
                result = local_sid_to_uid(puid, psid, sidtype);
                unbecome_root();
                return result;
        }

        /*
         * Ensure this is a user sid.
         */

        if (name_type != SID_NAME_USER) {
                DEBUG(10,("sid_to_uid: winbind lookup succeeded but SID is 
not a uid (%u)\n",
                                (unsigned int)name_type ));
                return False;
        }
#endif

A new SID will always successfully map to uid.

The fix would be, either uncomment the above code in sid_to_uid(), or in 
posix_acl.c, because calling sid_to_uid(), call lookup_sid() first to find 
out the name type (user or group).

Is there any other options?

Chere


On Wednesday 05 March 2003 06:57 pm, Chere Zhou wrote:
> I am in an ADS domain.  From a Windows client, create a file, add a group
> to the file using ACLs (new means the group is not in winbindd database
> yet), the group is mapped as a user in the winbindd_idmap.tdb.  The group
> is not any special type, just a normal group (not local, not universal).
>
> Anyone knows about this problem?
>
> Thanks,
> Chere


More information about the samba-technical mailing list