On Sun, 2004-02-29 at 05:28, Sebastian Hetze wrote: > Hi * > > I encounter severe problems with changing ACL settings in Samba > 3.0.2a after migrating users from NT PDC to LDAP-SAM. > > I did not find anything about this in the mailing list yet. > However, I have no idea (if) what I am doing wrong here. > Although I can hardly believe that I am the first one to trigger > that bug, it looks like a problem with the sid_to_gid routine. > So please take a look at that: > > After migrating users from NT4 to samba you get lots of RIDs that > do not match the rid algorithm.
The code is designed such that it should look for a matching name in the SAM -> posix account to establish the mapping, before resorting to the algorithmic mapping. > As one such user, prefereably one > with an odd RID, create a new file on some samba share with Linux > ACL enabled. Now open the Properties->Security->??? dialog > (Eigenschaften->Sicherheit->Berechtigungen in German) > and change anything. Add write permission to everyone, for example. > Now take a look at that file in the Linux filesystem, specially > the ACL on that file. The owner has lost write permission and > some group has got full access instead. > The GID of this (possible not even existing) group is exactly > the result of the RID algorithm calculation. OUCH. > My brief investigations indicate that the function > create_canon_ace_lists() from posix_acls.c calls both sid_to_gid() > and sid_to_uid() in turn with the same SID just to try if it matches > in one case or the other. Unfortunately, sid_to_gid() falls back to > algorithmic mapping and in the case shown above it succeeds to > calculate a gid out of the migrated users RID. > > Turning off algorithmic rid caluculation in general would solve > the problem. However, I doubt that this is the correct solution > at this time. For example, I would like to keep this algorithmic > thing for automatic creation of new (machine) accounts. I still think you should use the algorithmic rid base, but we need to make these functions 'fail' for users in that range. > One possible solution might be, to use the algorithmic rid base to > open a window of free RIDs for NT user migration. This could possibly > be done by checking the return value of pdb_group_rid_to_gid to be > a non negative value before assigning the gid (just a quick shot). We should allow these functions to fail, yes. > Before I start coding and further testing I would like to get you > involved. First of all, I would like you to either confirm the > bug or help me blind man to find the misconfiguration on my side. Sounds like a genuine bug to me. What we needed was the full idmap, but in the meantime, we should have a sid_to_id() routine, that tries both systems for an 'exact' match, before it guesses. Please write this up in bugzilla, so we don't loose it. This is a serious issue, as you have noted. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
