"NT Authority" mapping failures
Rowland Penny
rpenny at samba.org
Tue Nov 27 17:39:53 UTC 2018
On Tue, 27 Nov 2018 09:31:40 -0800
Jeremy Allison via samba-technical <samba-technical at lists.samba.org>
wrote:
> On Tue, Nov 27, 2018 at 06:26:42PM +0100, Ralph Böhme wrote:
> > Hi Jeremy,
> >
> > I came across this ancient gem: :)
> >
> > 0492effcf36bc1229d0d2e9250b6c6c36af0b117
> >
> > By chance, do you remember the reasoning for ignoring mapping
> > failures with these two domain?
>
> Historically we didn't map Creator_Owner_Domain to a valid uid
> (as it should have gotten changed to the creator uid/gid).
>
> > I'm asking because I just stumbled across that currently mapping
> > users and groups from "NT Authority" fails. I discovered this
> > (though I fainlty remember I ran into this before) when modifying
> > CI to run raw.acls tests against the enhanced vfs_nfs4acl_xattr
> > module.
> >
> > Most test failed because lookupname "NT Authority/Authenticated
> > Users" isn't working. I have a WIP patch to fix this (attached) and
> > while poking around I came across the above commit that paves above
> > such mapping failures in the posix_acls.c code.
> >
> > Thoughts? :)
>
> It's the conversion of SID->uid/gid for meta-sids that have no POSIX
> meaning that I was avoiding here.
>
> Didn't want the POSIX ACL set to fail if it couldn't convert
> a SID->uid/gid for an ACE entry that couldn't be represented
> in a POSIX ACE entry.
>
> No reason winbindd shouldn't handle them, so long as it doing
> so doesn't break the conversion of Windows ACL -> POSIX ACL.
>
> That's what I remember :-).
>
> Jeremy.
>
>
> > --
> > Ralph Boehme, Samba Team https://samba.org/
> > Samba Developer, SerNet GmbH https://sernet.de/en/samba/
> > GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
>
> > From f4663336ad11e8507ec771f91d0820fbebc91ab2 Mon Sep 17 00:00:00
> > 2001 From: Ralph Boehme <slow at samba.org>
> > Date: Tue, 27 Nov 2018 17:05:58 +0100
> > Subject: [PATCH] WIP: winbindd: handle "NT Authority"
> >
> > Without this:
> >
> > $ bin/wbinfo -n "NT Authority/Authenticated Users"
> > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup name NT Authority/Authenticated Users
> >
> > $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
> > failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not get info for group NT Authority/Authenticated Users
> >
> > With the patch:
> >
> > $ bin/wbinfo -n "NT Authority/Authenticated Users"
> > S-1-5-11 SID_WKN_GROUP (5)
> >
> > $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
> > NT AUTHORITY/authenticated users:
> > ---
> > source3/winbindd/winbindd_util.c | 7 ++++---
> > 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/source3/winbindd/winbindd_util.c
> > b/source3/winbindd/winbindd_util.c index 090a90574ce..e4af81ea868
> > 100644 --- a/source3/winbindd/winbindd_util.c
> > +++ b/source3/winbindd/winbindd_util.c
> > @@ -1516,11 +1516,12 @@ struct winbindd_domain
> > *find_lookup_domain_from_sid(const struct dom_sid *sid) struct
> > winbindd_domain *find_lookup_domain_from_name(const char
> > *domain_name) { if ( strequal(domain_name, unix_users_domain_name()
> > ) ||
> > - strequal(domain_name, unix_groups_domain_name() ) )
> > + strequal(domain_name, unix_groups_domain_name() ) ||
> > + strequal(domain_name, "NT Authority"))
> > {
> > /*
> > - * The "Unix User" and "Unix Group" domain our
> > handled by
> > - * passdb
> > + * The "Unix User", "Unix Group" and "NT
> > Authority" domains our
> > + * handled by passdb
> > */
> > return
> > find_domain_from_name_noinit( get_global_sam_name() ); }
> > --
> > 2.17.2
> >
>
>
Sorry to butt in here ;-)
But, shouldn't the 'our' in the comment be 'are' ?
Rowland
More information about the samba-technical
mailing list