[RFC] adding a fixed gid to the unix process token in smbd and other servers
Stefan (metze) Metzmacher
metze at samba.org
Tue Jul 21 21:24:46 UTC 2015
Hi Uri,
> This patch set adds the ability to add a gid to the UNIX process token
> of smbd, as well as other servers (assuming they use getgrouplist()
> and nsswitch is using nss_winbind). This is analogous to the Everyone
> (S-1-1-0) SID and a bunch of other SIDs that get added to the NT
> token.
>
> For smbd, the "Everyone" (S-1-1-0) SID is added to every token. The
> idea is to perform group mapping of "Everyone" (SID S-1-1-0) to some
> unix group id, and then let smbd translate that SID into the gid.
> Unfortunately, this was not supported for pdb backends that use local
> group mapping for well-known and builtin SIDs, and the first part of
> the patch set changes that.
>
> The patch changes the default for the whole pdb interface, because the
> default sid->xid for pdb interface is to use local group mapping (in
> case of builtin/well known SIDs). Changing default behavior in this
> way certainly is alarming, but I could not find a reason for it to be
> the way it is now - I would be happy to stand corrected (sent an email
> about it yesterday).
>
> For other servers, the other parts of this patch set add functionality
> to winbindd to mimic smbd's behavior when doing getgrouplist() - it
> allows winbindd to add some SIDs to the list of SIDs obtained from the
> backend, before translating the whole bunch to gids (and the first
> patch and the group mapping let S-1-1-0 be translated).
>
> I could also use some pointers about testing - My idea is to have a
> black-box test that runs wbinfo without and with the added sids, and
> verifies added groups. I can see there are some wbinfo tests, but I
> need the test to configure smb.conf and do group mapping - was
> wondering whether there's a "standard" way of doing it. Also should I
> cleanup the env (group mapping, changes to smb.conf) before ending the
> test or is it the job of make test to clean up between tests.
I really don't understand why we want a new option in order to specify some
by hand.
I think this needs a bit more thinking and should also be useful on
a domain controller.
I think this somehow needs to work without adding group mappings.
How does that belong to pdb_is_responsible_for_wellknown() and
pdb_is_responsible_for_everything_else()?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150721/ae104f12/signature.sig>
More information about the samba-technical
mailing list