[Samba] Concern about 3.0.22->3.0.23b upgrade (algorithmic SIDs
issue)
Michael Deutschmann
michael at talamasca.ocis.net
Thu Aug 31 15:02:21 GMT 2006
On Sat, 26 Aug 2006, you wrote:
> > I'm running as a lone Samba PDC, and -not-
> > using winbindd.
>
> The RID algorithm in 3.0.23c will potentially impact you.
> Have I already suggested testing the 3.02.3c-gwc patch
> at http://www.samba.org/~jerryy/patches/ ? You might
> want to get the patch and read over the release notes
> at least.
I've installed it and it seems to work.
I think the problem I was fearing rests on a misunderstanding. The text
said this would affect "unmapped" SIDs. I took this to mean all SIDs that
I did not explictly map -- which is everything except the magic privelege
determining groups (ie: Domain Admins, Power Users). So I was afraid
that my users would lose ownership to all the files they created on
their own harddrives.
It's now apparent that an entry in smbpasswd counts as a SID mapping
(which just so happens to match exactly the SIDs that would have
been generated for an unmapped users at the same unix uid.)
While no change to the code is needed, the documentation about the 3.0.23
changes should be updated to clarify that:
* any user that can log on to a samba DC counts as mapped, so their own
file ownership is safe.
* to map a unix gid to a SID identical to what samba-3.0.22 would have
given, use net groupmap.
* to map a unix uid to a SID identical to what samba-3.0.22 would have
given, use smbpasswd to create an account for the user.
---- Michael Deutschmann <michael at talamasca.ocis.net>
More information about the samba
mailing list