New Unix user and group domain
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Feb 23 16:24:53 GMT 2006
On Tue, Feb 21, 2006 at 09:40:10PM -0600, Gerald (Jerry) Carter wrote:
> We have 3 possible solutions on the table to get from where we
> are in 3.0.21 to where we want to be in 3.0.22.
>
> (a) have the administrator manually create the explicit
> group mapping which matches the SID assigned by 3.0.21,
>
> (b) auto map the groups on behalf of the administrator, or
>
> (c) Ignore the change in group SIDs entirely.
All true. Thanks for looking at it so deeply. These are the
options we have. The auto-mapping during the transition
phase would be based on the algorithm, and the admin has to
provide the hint when everything is auto-mapped.
Probably a script doing a pdbedit -L and auto-algo-mapping
all groups the users showing up by "groups <username>" would
be more helpful.
> I think that (c) should be the default behavior. For those
> people not affected by the security descriptor issue (i.e.
> only Samba file servers and running the 3.0.22 or higher on
> all servers).
You think we can get away with that? This is certainly
easiest.
> Now for those servers that will be adversely affected
> we have to careful;y explain the scenarios and let the
> administrator decide.
Fine with that.
> I do not believe that (b) can reliably work. There are too
> many differences between smbpasswd, tdb, and LDAP installations.
> And at what point do you stop automapping groups? This
> solutions seems only slightly better than what we have now
> and actually replies on more persistent storage (so more
> places for things to potentially go wrong).
I could imagine doing the auto-mapping based on the RID
allocator forever. When a users somehow becomes member of a
newly created unix group, this is not reflected in the token
we send back in the info3 struct. For these cases I could
imagine doing the mapping on the fly.
> 1. Why did you move the Unix create user/group calls into
> the passdb API? I don't understand what you are trying
> to solve there.
Nothing so far. I want to give the admin the possibility to
live without 'add user script' and friends if
ldapsam:trusted=edit or so. These scripts have given me so
much headache in particular with LDAP that I want another
option.
> 2. What is the real meaning of the pdb_rid_algorithm() call?
> Which algorithm do you mean? The one used by 3.0.21 or
> the new Unix S-1-22- domains?
pdb_rid_algorithm() is true for smbpasswd and false for
tdbsam and ldapsam. smbpasswd will always live with the
uid*2+1000 thing, the others will have a RID allocator.
Now that we don't have stacked passdb modules anymore, this
could be changed to a simple comparison on "passdb backend".
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060223/98d3db9b/attachment.bin
More information about the samba-technical
mailing list