[Patch] Add an idmap implementation to winbind

Kai Blin kai at samba.org
Thu Feb 14 17:12:05 GMT 2008


On Thursday 14 February 2008 17:12:23 simo wrote:

> Reading the first patch I see you re-introduced idmap uid and idmap gid
> ranges in smb.conf, please don't do that, as this is a new
> implementation anyway, please keep the ranges in the database itself.
> Also I'd suggest to only use one range for both uid and gid, the added
> flexibility is not worth the confusion imo.

Sure, can do.

> Also I would not introduce the idmap database, why can't we put this
> stuff into sam.ldb?

Creating a new db was easier for the first try to do this.

> Eventually as a separate partition?

Sure, if someone tells me how to do this. Finding my way around ldb has been 
really cumbersome so far.

>
> Reading the fourth patch it appears like you are using your functions in
> a set of composite functions, this means that you are introducing
> blocking synchronous calls (gendb_search) in an a supposedly async set
> of calls, not good.

My first go at getting id mapping into winbind was using sidmap, which uses 
the same calls. Also, in the beginning I was trying to stay close to the API 
Samba3 idmap provided. Fair enough, I'll change it once somebody points me at 
the calls to use instead.

> Reading the fifth patch I see no call to validate a SID before consuming
> a uid/gid to make a mapping. This means someone can simply query for N
> non existing SIDs and deplete the given range (DoS).

Validate as in how? Last time I discussed this with Metze he told me I should 
map SIDs even if they're not from a trusted domain.

> Also the high watermark is simply replaced, not deleted and added, this
> means in theory 2 concurrent process can allocate the samba uid/gid to 2
> different SIDs and never notice, as the high watermark update is not
> atomic. Transactions are not used either so there is no way to detect it
> later and rollback.

Again, just tell me what calls I should use.

Cheers,
Kai

-- 
Kai Blin
WorldForge developer  http://www.worldforge.org/
Wine developer        http://wiki.winehq.org/KaiBlin
Samba team member     http://www.samba.org/samba/team/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba-technical/attachments/20080214/0cf2d9a1/attachment.bin


More information about the samba-technical mailing list