New Unix user and group domain

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Feb 23 16:24:53 GMT 2006 

On Tue, Feb 21, 2006 at 09:40:10PM -0600, Gerald (Jerry) Carter wrote:
> We have 3 possible solutions on the table to get from where we
> are in 3.0.21 to where we want to be in 3.0.22.
> 
> (a) have the administrator manually create the explicit
> group mapping which matches the SID assigned by 3.0.21,
> 
> (b) auto map the groups on behalf of the administrator, or
> 
> (c) Ignore the change in group SIDs entirely.

All true. Thanks for looking at it so deeply. These are the
options we have. The auto-mapping during the transition
phase would be based on the algorithm, and the admin has to
provide the hint when everything is auto-mapped.

Probably a script doing a pdbedit -L and auto-algo-mapping
all groups the users showing up by "groups <username>" would
be more helpful.

> I think that (c) should be the default behavior.  For those
> people not affected by the security descriptor issue (i.e.
> only Samba file servers and running the 3.0.22 or higher on
> all servers).

You think we can get away with that? This is certainly
easiest.

> Now for those servers that will be adversely affected
> we have to careful;y explain the scenarios and let the
> administrator decide.

Fine with that.

> I do not believe that (b) can reliably work.  There are too
> many differences between smbpasswd, tdb, and LDAP installations.
> And at what point do you stop automapping groups?  This
> solutions seems only slightly better than what we have now
> and actually replies on more persistent storage (so more
> places for things to potentially go wrong).

I could imagine doing the auto-mapping based on the RID
allocator forever. When a users somehow becomes member of a
newly created unix group, this is not reflected in the token
we send back in the info3 struct. For these cases I could
imagine doing the mapping on the fly.

> 1.  Why did you move the Unix create user/group calls into
>     the passdb API?  I don't understand what you are trying
>     to solve there.

Nothing so far. I want to give the admin the possibility to
live without 'add user script' and friends if
ldapsam:trusted=edit or so. These scripts have given me so
much headache in particular with LDAP that I want another
option.

> 2.  What is the real meaning of the pdb_rid_algorithm() call?
>     Which algorithm do you mean?  The one used by 3.0.21 or
>     the new Unix S-1-22- domains?

pdb_rid_algorithm() is true for smbpasswd and false for
tdbsam and ldapsam. smbpasswd will always live with the
uid*2+1000 thing, the others will have a RID allocator.

Now that we don't have stacked passdb modules anymore, this
could be changed to a simple comparison on "passdb backend".

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060223/98d3db9b/attachment.bin

More information about the samba-technical mailing list