SID Compression and member servers ...

Richard Sharpe realrichardsharpe at gmail.com
Mon Jun 16 07:18:03 MDT 2014


On Mon, Jun 16, 2014 at 1:45 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Sat, Jun 14, 2014 at 03:20:19PM -0700, Richard Sharpe wrote:
>> On Sat, Jun 14, 2014 at 2:44 PM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>> > For anyone following along at home the attached patch might work :-)
>> >
>> > It compiles, but I don't have a debug setup to test it with at the moment.
>>
>> A fix for the obvious error ...
>>
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂?唯有杜康。--曹操)
>
>> diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
>> index 05c4ddc..912a271 100644
>> --- a/source3/auth/auth_generic.c
>> +++ b/source3/auth/auth_generic.c
>> @@ -34,6 +34,46 @@
>>  #include "lib/param/loadparm.h"
>>  #include "librpc/gen_ndr/dcerpc.h"
>>
>> +/*
>> + * Merge the SIDs in the resource groups into the info3 ...
>> + */
>> +NTSTATUS merge_resource_sids(struct PAC_LOGON_INFO *logon_info,
>> +                          struct netr_SamInfo3 *info3)
>> +{
>> +     NTSTATUS status = NT_STATUS_OK;
>> +     int i = 0;
>> +     struct dom_sid new_sid;
>> +
>> +     sid_copy(&new_sid, logon_info->res_group_dom_sid);
>> +     /*
>> +      * Construct a SID for each RID in the list and then append it
>> +      * to the info3 ...
>> +      */
>> +     for (i = 0; i < logon_info->res_groups.count  ; i++) {
>> +             uint32_t attributes = logon_info->res_groups.rids[i].attributes;
>> +
>> +             sid_append_rid(&new_sid, logon_info->res_groups.rids[i].rid);
>> +
>> +             DEBUG(10, ("Adding SID %s to extra SIDS\n",
>> +                     sid_string_dbg(&new_sid)));
>> +
>> +             status = append_netr_SidAttr(info3, &info3->sids,
>> +                                          &info3->sidcount,
>> +                                          &new_sid,
>> +                                          attributes);
>> +             if (!NT_STATUS_IS_OK(status)) {
>> +                     DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
>> +                             sid_string_dbg(&new_sid),
>> +                             nt_errstr(status)));
>> +                     return status;
>> +             }
>> +
>> +             new_sid.num_auths--; /* Get rid of the RID we added */
>
> Instead of doing this magic with sid internals I would
> propose to put the "new_sid" into the for-loop and work with
> the routine sid_compose. Sids are not that large, so the
> performance penalty from copying res_group_dom_sid should be
> minimal I guess.

OK, that's a reasonable suggestion. I will rework things and as per my
patch that will include the correct change to winbindd_pam.c as well
and include your suggestion and post it with a signed-off-by. Probably
be tomorrow now.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list