[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba-technical
Subject:    winbindd uid and gid range assumptions
From:       Mike Gerdts <Michael.Gerdts () alcatel ! com>
Date:       2002-05-13 18:35:45
[Download RAW message or body]

It seems as though there was an assumption that users of winbindd would
have switched entirely to NT domain authentication or that they would
have distinct range of UIDs/GIDs for /etc/passwd (or NIS) and NT domain.

The most obvious sign of this is the peppering of statements like the
following throughout various files:

	/* Bug out if the gid isn't in the winbind range */

	if ((state->request.data.gid < server_state.gid_low) ||
	    (state->request.data.gid > server_state.gid_high)) {
       		return WINBINDD_ERROR;
    	}

Also, smbd/uid.c does a similar check before calling
winbind_[ug]id_to_sid():

        if (lp_winbind_uid(&low, &high) && uid >= low && uid <= high) {
                if (winbind_uid_to_sid(psid, uid)) {

                        DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
                                (unsigned int)uid, sid_to_string(sid, psid)));

                        return psid;
                }
        }

Is there any good reason to not just let get_id_from_sid() in
nsswitch/winbindd_idmap.c do all the checking?  It seems as though the
optimization achieved by the multitude of checks is minimal and greatly
reduces the chances integration possibilities between winbindd and
traditional unix authentication.

Mike



[prev in list] [next in list] [prev in thread] [next in thread]