Why are we allocating ID_TYPE_BOTH on a user or machine SID type ?
Jeremy Allison
jra at samba.org
Wed Oct 16 17:51:54 MDT 2013
I'm looking at a really subtle problem someone is
having with POSIX ACLs that only started to occur
on an upgrade to 4.0.x authenticating against an
AD domain with idmap backend = rid.
In this circumstance when we're mapping a SID
we haven't seen before, the code in :
source3/winbindd/idmap_rid.c:idmap_rid_sid_to_id()
algorithmically maps both a uid and gid and returns a
type of ID_TYPE_BOTH.
Can someone explain that decision ? To my
naive eye it would seem to have been better
to only map both a uid and gid and return
ID_TYPE_BOTH when the type looked up from
the LookupRid call against the DC returned
was of type SID_NAME_DOM_GRP, SID_NAME_DOMAIN
SID_NAME_ALIAS, SID_NAME_WKN_GRP.
When the incoming SID is known to be of
type SID_NAME_USER or SID_NAME_COMPUTER
then why are we mapping both a uid and
gid ?
At the time we're doing the mapping we've
already consulted the DC via LookupRid
so we know the type we are to map.
I can probably fix this another way,
but it'll be ugly and it would be much
easier to have a SID_NAME_USER or SID_NAME_COMPUTER
SID type mapped solely to ID_TYPE_UID :-(.
Jeremy.
More information about the samba-technical
mailing list