with most recent git master smbd fails to start in AD DC mode

Andrew Bartlett abartlet at samba.org
Sun Mar 23 00:58:53 MDT 2014

On Sat, 2014-03-22 at 21:42 -0700, Jeremy Allison wrote:
> On Sat, Mar 22, 2014 at 09:34:00PM -0700, Jeremy Allison wrote:
> > 
> > It should apply cleanly on top of current
> > master (once you've removed the earlier
> > test patch I sent you).
> > 
> > Let me know if it fixes the issue for
> > you, and I'll be able to do some testing
> > myself on Monday.
> Gah. Here's the correct version (finger
> trouble, sorry). Earlier verion returned
> on a non-mappable SID, sorry.

I'm not convinced this is any more correct either.  The issue is that in
the AD DC, 'guest account' as a parameter is ignored.  It is defined
only in the sam as the holder of the guest account SID (-513).
Additionally, unix groups are not relevant in the AD DC.

Even in the general case, we should not call getpwuid() if the SID is in
our local domain - we won't find any more groups anyway, and as the
original patch says, it is inefficient. 

More broadly, I think we need is some more hooks on the auth methods,
one to override the initialisation step, and one to provide the
session_info for the guest only case (the only case that uses this in
the AD DC).

While I understand the performance issues that created the
pre-calculation here, this continues to reinforce to me how delicate it
is, and I do wish we could avoid or dramatically improve it. 

I appreciate you working with Günter on this.  As you have found out,
this is a sensitive area, please don't merge a patch to further fix this
without my review.

Andrew Bartlett 

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list