Why are we allocating ID_TYPE_BOTH on a user or machine SID type ?

[Andrew Bartlett]

On Wed, 2013-10-16 at 16:51 -0700, Jeremy Allison wrote:
> I'm looking at a really subtle problem someone is
> having with POSIX ACLs that only started to occur
> on an upgrade to 4.0.x authenticating against an
> AD domain with idmap backend = rid.
> 
> In this circumstance when we're mapping a SID
> we haven't seen before, the code in :
> 
> source3/winbindd/idmap_rid.c:idmap_rid_sid_to_id()
> 
> algorithmically maps both a uid and gid and returns a
> type of ID_TYPE_BOTH.
> 
> Can someone explain that decision ? To my
> naive eye it would seem to have been better
> to only map both a uid and gid and return
> ID_TYPE_BOTH when the type looked up from
> the LookupRid call against the DC returned
> was of type SID_NAME_DOM_GRP, SID_NAME_DOMAIN
> SID_NAME_ALIAS, SID_NAME_WKN_GRP.
> 
> When the incoming SID is known to be of
> type SID_NAME_USER or SID_NAME_COMPUTER
> then why are we mapping both a uid and
> gid ?
> 
> At the time we're doing the mapping we've
> already consulted the DC via LookupRid
> so we know the type we are to map.
> 
> I can probably fix this another way,
> but it'll be ugly and it would be much
> easier to have a SID_NAME_USER or SID_NAME_COMPUTER
> SID type mapped solely to ID_TYPE_UID :-(.

It makes it deterministic no matter if we could verify if a SID a user
or not, and allows us to function when the domain is migrated and the
user SID ends up in sidHistory, rather than being the user's SID.  

Also, as seen in the AD DC (but available generally), a group needs to
be a UID when the group owns files. 

Andrew Bartlett


-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz