Primary Group SID

Bostjan Golob golob at gimb.org
Mon Feb 9 21:05:43 GMT 2004 

On Mon, 2004-02-09 at 21:33, Andrew Bartlett wrote:
> On Tue, 2004-02-10 at 07:24, Bostjan Golob wrote:
> > On Mon, 2004-02-09 at 21:11, Andrew Bartlett wrote:
> > > On Tue, 2004-02-10 at 06:21, Bostjan Golob wrote:
> > > > I hacked together a little patch for the LDAP backend that resolves a
> > > > user's primary gid into a SID and uses that as the primary group SID. If
> > > > the group has no mapping, the user gets the Domain Users group as the
> > > > primary group.
> > > > 
> > > > This is just a quick proof-of-concept patch that probably needs some
> > > > polishing and moving into a more general location. If people are
> > > > satisfied with this patch, I'll make a more general one (a bit out of
> > > > practice with samba code at the moment :).
> > > 
> > > I don't like the getpwnam() lookup.  Now I remember what happened to
> > > this code...
> > > 
> > > I would prefer that we re-introduced the code to look at gidNumber, and
> > > translate it on that basis.  If the group mapping does not exist, then
> > > the algorithmic mapping should be used.
> > > 
> > 
> > That was my first intent, but I went with getpwnam() because in my case,
> > I have separate LDAP trees for samba and posix users (for testing now)
> > and the sambaSamAccount had no gidNumber. Also, the root account has no
> > posixAccount entry in LDAP, only a sambaSamAccount for joining the
> > machines in the domain and so on. 
> 
> I am going to do my best to break such silly LDAP setups...

Having separate posix and samba account trees is, I agree, silly on a
production server. But, it may be useful while testing. 
On the other hand, I don't find it silly if one has no posixAccount for
the root account in LDAP (since it's right there on top of the passwd
file...).

> We cannot do a getpwnam() because of the performance cost - the extra
> lookups are quite painful.  I'm also worried what the gid->sid lookups
> will cost us...

If gid->sid lookups at every initialization are too costly, then you are
either forced to put a lot of memberUid attributes in posixGroups or
synchronize sambaPrimaryGroupSIDs with their primary groups
manually/through a cronjob or sth. 


An idea is to get the gidNumber attribute first, if that fails, then
fallback on getpwnam(). See above regarding gid->sid lookups.

Bostjan Golob

More information about the samba-technical mailing list