unpack_nt_owners fails with owner S-1-5-32-544

tridge at samba.org tridge at samba.org
Tue Oct 24 21:21:05 GMT 2006


 > That's indeed a very good question, and in fact this is
 > another argument for winbind to always allocate both a uid
 > and a gid whenever a unix id is needed.

I've been thinking about doing this for sidmap in Samba4, and it
certainly does make some thing easier, but doesn't completely solve
the problem.

Say you allocate both a uid and a gid to a SID, and then create a ACL
based on that. If you are using either posix ACLs or NFS4 ACLs then
the ACL format on disk is different depending on whether the id is a
gid or a uid. So you have to pick one or the other at the point at
which you map the internal NT ACL to a on-disk ACL. If you later
discover that you've picked the wrong type, then in theory you would
need to scan the entire disk (and all backups!) for any file that has
it wrong, and 'fix' it. Not very practical :(

I still think the idea of creating both a uid and a gid for a SID of
unknown type is worth considering, we just need to try to come up with
something that minimises the impact of getting it wrong.

The best thing I have thought of so far is this:

 - create both a uid and a gid for SIDs of unknown type

 - when saving an ACL in a format that needs to know which it is, then
   for owner_sid field pick uid, for group_sid field pick gid, and for
   ACEs store both a uid based ACE and a gid based ACE, both of which
   map to the same SID.

 - once we know which type the SID is, update the sidmap database to
   flag which type it is, but also keep in the database the 'wrong'
   mapping, keeping the incorrect gid or uid reserved.

 - when reading in an ACL from disk and doing the reverse mapping
   (uid/gid to SID) the mapping will look in the sidmap database, and
   if it comes across an entry which has now been flagged to indicate
   that the ACL had the wrong type then fix the ACL on disk by
   removing the incorrect ACE.

 - for ACLs where we find that the 'owner' is really a group, or where
   the 'group_sid' is really a user, then keep using the reserved
   uid/gid of the wrong type. This isn't ideal, but I can't see a way
   to avoid it. At least it allows us to correctly map to NT ACLs.

It's not ideal as incorrect ACLs are only fixed when Samba accesses
them, but by keeping the incorrect uid or gid reserved we minimise the
risk of incorrect behaviour. 

The keys to this system are:

 - reserve both a uid and a gid for SIDs of unknown type
 - keep them both reserved even after we know the real type
 - use duplicate ACEs in mapped ACLs for posix and NFS4 ACLs where the
   SID has an unknown type
 - remove the duplicate ACE when we come across the file and we have
   resolved what type the SID really is

Cheers, Tridge

More information about the samba-technical mailing list