On Sat, Feb 3, 2018 at 8:28 AM, Richard Sharpe
<realrichardsharpe(a)gmail.com> wrote:
On Fri, Feb 2, 2018 at 1:07 AM, Sumit Bose <sbose(a)redhat.com>
wrote:
> On Thu, Feb 01, 2018 at 01:03:24PM -0800, Richard Sharpe wrote:
>> Hi folks,
>>
>> We have a customer who seems to do what RHEL does with respects users
>> and groups.
>>
>> That is:
>>
>> 1. User A has a SID of S-1-5-21-x-y-z-1234
>> 2. They also have a primary group SID of S-1-5-21-x-y-x-1235 (usually adjacent).
>> 3. They are also using RFC2703bis and they have the UID property set
>> to 21234 and the GID property set to 21234.
>>
>> Now, when the Samba idmap_sss.c calls sss_nss_getsidbyid looking for
>> the SID associated with the GID it often gets back the SID associated
>> with the UID, probably because we just asked for the SID associated
>> with the UID.
>>
>> Is there a different function I can call to get both/all? I looked at
>> the code for sss_nss_getsidbyid and it just calls sss_nss_getyyybyxxx
>> and that function seems to only hand back the first SID returned.
>
> I'm sorry, I have to admit that this kind of setup didn't came to my
> mind when writing those calls. But yes, users and group are coming from
> different name spaces on the POSIX side and should be handled
> separately.
>
> Currently you can only do workarounds. E.g. if the group name differs
> from the user name you call getpwuid() and getgrgid() first and then
> sss_nss_getsidbyname(). But this would only work if the use names based
> on the samAccountName attribute from AD because iirc AD enforces
> uniqueness here. If they use a different attribute for the group names
> this might not work.
>
> As an alternative, but even more complicated you can make the SID
> available via D-Bus/InfoPipe and then lookup user and group by ID.
>
> So it looks like sss_nss_getsidbyuid() and sss_nss_getsidbygid() should
> be added to the interface. Would you mind to open a ticket about this on
>
https://pagure.io/SSSD/sssd/new_issue or do you prefer me doing this?
Hmmm, it looks like all I might have to do is to add a couple of
simple routines to src/responder/nss/nss_cmd.c like this
static errno_t nss_cmd_getsidbyid(struct cli_ctx *cli_ctx)
{
const char *attrs[] = { SYSDB_SID_STR, NULL };
return nss_getby_id(cli_ctx, false, CACHE_REQ_OBJECT_BY_ID, attrs,
SSS_MC_NONE, nss_protocol_fill_sid);
}
except replacing SSS_MC_NONE with SSS_MC_PASSWD or SSS_MC_GROUP and
add SSS_NSS_GETSIDBYUID and SSS_NSS_GETSIDBYGID and plumb it all the
way through.
Could be wrong because I am still reading the code.
That attached patch seems like it could go close to doing what I want.
It seems there are no cmocka tests for sss_nss_getsidbyid as well, so
there was nothing for me to copy there.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)