with most recent git master smbd fails to start in AD DC mode
Andrew Bartlett
abartlet at samba.org
Sun Mar 23 00:58:53 MDT 2014
On Sat, 2014-03-22 at 21:42 -0700, Jeremy Allison wrote:
> On Sat, Mar 22, 2014 at 09:34:00PM -0700, Jeremy Allison wrote:
> >
> > It should apply cleanly on top of current
> > master (once you've removed the earlier
> > test patch I sent you).
> >
> > Let me know if it fixes the issue for
> > you, and I'll be able to do some testing
> > myself on Monday.
>
> Gah. Here's the correct version (finger
> trouble, sorry). Earlier verion returned
> NT_STATUS_UNSUCCESSFUL instead of NT_STATUS_OK
> on a non-mappable SID, sorry.
I'm not convinced this is any more correct either. The issue is that in
the AD DC, 'guest account' as a parameter is ignored. It is defined
only in the sam as the holder of the guest account SID (-513).
Additionally, unix groups are not relevant in the AD DC.
Even in the general case, we should not call getpwuid() if the SID is in
our local domain - we won't find any more groups anyway, and as the
original patch says, it is inefficient.
More broadly, I think we need is some more hooks on the auth methods,
one to override the initialisation step, and one to provide the
session_info for the guest only case (the only case that uses this in
the AD DC).
While I understand the performance issues that created the
pre-calculation here, this continues to reinforce to me how delicate it
is, and I do wish we could avoid or dramatically improve it.
I appreciate you working with Günter on this. As you have found out,
this is a sensitive area, please don't merge a patch to further fix this
without my review.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list