disable storing S-1-22-{1,2} SIDs in the Sid to uid/gid cache

Gerald (Jerry) Carter jerry at samba.org
Thu Aug 31 18:28:19 GMT 2006

Hash: SHA1

Here's a small patch to fix a bug in the SID to gid/uid
cache.  The problem is this:

Assume we have a gid of 1007 mapped to a real SID
in the machine's domain.  Both the S-1-22-2-1007 and
S-1-32-5-XXX-XXX-XX-XXX SIDs will map to the same
gid.  The gid should always map back to the SID in
the machine's domain since that is the important one.

So I'm disabling storing S-1-22-{1,2}-XX SIDs in
the cache.  This fixes a problem with the token creation
based on the order of SIDs in the cache.

This will be in 3.0.23c (and is the absolute last
bug before tomorrow's release...hopefully).

cheers, jerry
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
Index: passdb/lookup_sid.c
--- passdb/lookup_sid.c	(revision 17968)
+++ passdb/lookup_sid.c	(working copy)
@@ -951,6 +951,11 @@
 	struct uid_sid_cache *pc;
+	/* do not store SIDs in the "Unix Group" domain */
+	if ( sid_check_is_in_unix_users( psid ) )
+		return;
 	if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) {
 		/* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */
 		struct uid_sid_cache *pc_next;
@@ -1022,6 +1027,11 @@
 void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
 	struct gid_sid_cache *pc;
+	/* do not store SIDs in the "Unix Group" domain */
+	if ( sid_check_is_in_unix_groups( psid ) )
+		return;
 	if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) {
 		/* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */

More information about the samba-technical mailing list