-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NAS-129929 / 24.10 / Improve SID handling #13984
Conversation
148129c
to
01aeb2b
Compare
Do not rely on Samba to generate a new system SID and make randomized SID persistent across server changes. This is to help prevent admin foot-shooting when they choose to make major server changes that force Samba to regnerate a new SID and thus invalidate their share ACLs. on production servers. Since local user / group RID values are deterministic based on the id key for user / group accounts, populate `sid` key in user.query and group.query extend methods. Apply similar logic to short-circuit SID conversion. The nt_name key provides little value to API consumers and so remove for account entries. Remove subprocess call to `net groupmap` in favor of using our tdb utilities to directly alter the group_mapping.tdb file. This generally performs better and avoids having to synchronize group mappings during group CRUD methods.
0793bcb
to
ab6945f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First pass: Flake8 complaints.
There are unused imports in several modules, but not new.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll approve as most of my comments are minor.
This PR has been merged and conversations have been locked. |
Do not rely on Samba to generate a new system SID and make randomized
SID persistent across server changes. This is to help prevent admin
foot-shooting when they choose to make major server changes that force
Samba to regenrate a new SID and thus invalidate their share ACLs.
on production servers.
Since local user / group RID values are deterministic based on the id
key for user / group accounts, populate
sid
key in user.query andgroup.query extend methods. Apply similar logic to short-circuit
SID conversion.
The nt_name key provides little value to API consumers and so remove
for account entries.
Remove subprocess call to
net groupmap
in favor of using our tdbutilities to directly alter the group_mapping.tdb file. This generally
performs better and avoids having to synchronize group mappings during
group CRUD methods.