samba-technical Digest, Vol 36, Issue 30

Stéphane Purnelle stephane.purnelle at tiscali.be
Thu Dec 29 12:56:40 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

<snip>
Message: 14
Date: Thu, 29 Dec 2005 12:47:18 +0100
From: Volker Lendecke <Volker.Lendecke at SerNet.DE>
Subject: Re: "algorithmic rid base" bogus?
To: samba-technical at samba.org
Message-ID: <E1ErwBA-00006v-00 at intern.SerNet.DE>
Content-Type: text/plain; charset="us-ascii"

On Tue, Dec 27, 2005 at 10:49:44PM +0100, Volker Lendecke wrote:

>> Thinking about migration issues right now, but I think the only
>> real issue is generating the samlogon token, and this is either
>> doable on the fly or even better it is scriptable. Enumerate all
>> users, do the query_usergroups call for them and add explicit
>> mapping entries.


> I think I found a sane way for upgrades (not relevant for
> smbpasswd):

> I will add a parameter 'auto map groups', defaulting to 'yes'. This
> hooks into the gid2sid routine and adds groups mappings based on
> the RID algorithm whenever non-mapped gid's pass by. This way all
> groups that right now are mapped based on the algorithm function as
> they do now, they show up in the samlogon token.

If I understand, a unix group not mapped with net groupmap or other
tools (no SID), will be mapped with the algorithm function !

> This conflicts however with new users, workstations and groups.
> There is just no sane way to find a RID space that is free now and
> in the future to allocate RIDs from. So 'auto map groups = yes'
> makes pdb_new_rid plainly refuse to allocate new RIDs, preventing
> the admin to shoot himself in the foot.

> The active part the admin has to take is to explicitly map all
> groups in use, issue a 'net maxrid' operation that will set the
> next RID to allocate and set 'auto map groups = no'. We might also
> note the setting in the sambaDomain object and tdbsam, this is a
> one-time setting like the upgrade to W2k native mode.

> No user affected, only admins will see a prominent debuglevel 0
> message.

But I see a little problem, a admin read logs if there are a problem,
I prefer that a user help me for says "You don't have right to this
file because no SID found for group xxxx" that not have problem but
not have a RID table correct with all groups mapped to a Windows SID
with the correct tools.

> Sounds weird? Can we impose that on our users?

> Volker
</snip>


    Stéphane Purnelle


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDs90H8tswkE3d0ecRAshvAJ9ReLrFLH2CBYVhMGXHF28UiB+U4gCfX58v
g9qWbAyEmKMYfVDWoNN+PeA=
=U909
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list