New Unix user and group domain

Gerald (Jerry) Carter jerry at samba.org
Fri Feb 24 17:46:30 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Lendecke wrote:

> On Tue, Feb 21, 2006 at 09:40:10PM -0600, Gerald (Jerry) Carter wrote:

>> (a) have the administrator manually create the explicit
>> group mapping which matches the SID assigned by 3.0.21,
>>
>> (b) auto map the groups on behalf of the administrator, or
>>
>> (c) Ignore the change in group SIDs entirely.
...
>> I think that (c) should be the default behavior.  For those
>> people not affected by the security descriptor issue (i.e.
>> only Samba file servers and running the 3.0.22 or higher on
>> all servers).
> 
> You think we can get away with that? This is certainly
> easiest.

I do.  We are really only worrying about upgraded DCs.
There are a lot of them, but I do not think them to be
the majority of the server install base.

The more I think about it, the upgraded DC scenario
really falls into 2 categories.

(a) migrated domains, and
(b) pure-blood Samba domains.

The first is obvious a problem.  The second is a problem when
allowing the admin to manually associated a RID with a group.
So we should disallow that except for well known RIDs below
1000.

> 
>> Now for those servers that will be adversely affected
>> we have to careful;y explain the scenarios and let the
>> administrator decide.
> 
> Fine with that.
> 
>> I do not believe that (b) can reliably work.  There are too
>> many differences between smbpasswd, tdb, and LDAP installations.
>> And at what point do you stop automapping groups?  This
>> solutions seems only slightly better than what we have now
>> and actually replies on more persistent storage (so more
>> places for things to potentially go wrong).
> 
> I could imagine doing the auto-mapping based on the RID
> allocator forever. When a users somehow becomes member of a
> newly created unix group, this is not reflected in the token
> we send back in the info3 struct. For these cases I could
> imagine doing the mapping on the fly.

How about this configuration:

* In all configurations default to 513 as the user's primary
     group in the ansence of a valid gid_to_sid() result in
     the server's SAM domain).

* standalone, member server, new Samba domain - don't worry
     about the RID algorithm from 3.0.21.  Just use the S-1-22-X
     domains

* Upgraded pure-blood Samba DC - no persistent mapping.  Just
     continue to use the use the RID algorithm.  Do not allow
     manual group mappings above 1000 and do not use a
     monotonic RID allocation scheme.

* Samba domain migrated from Windows DC - Use existing group
     mappings (should have been established by the 'net rpc
     vampire' proicess)..  Unmapped groups are shown in the
     S-1-22-2 domain.

This is not so insurmountable.  It allows us to choose and all
or none solution.


>> 1.  Why did you move the Unix create user/group calls into
>>     the passdb API?  I don't understand what you are trying
>>     to solve there.
> 
> Nothing so far. I want to give the admin the possibility to
> live without 'add user script' and friends if
> ldapsam:trusted=edit or so. These scripts have given me so
> much headache in particular with LDAP that I want another
> option.

ok.  I see the advantage.  As lonbg as the default still falls
back to external scripts, then I'll go along.

> 
>> 2.  What is the real meaning of the pdb_rid_algorithm() call?
>>     Which algorithm do you mean?  The one used by 3.0.21 or
>>     the new Unix S-1-22- domains?
> 
> pdb_rid_algorithm() is true for smbpasswd and false for
> tdbsam and ldapsam. smbpasswd will always live with the
> uid*2+1000 thing, the others will have a RID allocator.
> 
> Now that we don't have stacked passdb modules anymore, this
> could be changed to a simple comparison on "passdb backend".

A (BOOL)fn() is fine.  It's better to keep it in the API as hard
coded checks of names are bound to bit rot.








cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD/0Z2IR7qMdg1EfYRArtXAKDIp5FIOL4JO2UV8vMYKfv3mt5c/wCfaNpJ
GYjdEcx+j4+X2PVPtykaOF0=
=DUh5
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list