Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-129929 / 24.10 / Improve SID handling #13984

Merged
merged 6 commits into from
Jul 11, 2024
Merged

NAS-129929 / 24.10 / Improve SID handling #13984

merged 6 commits into from
Jul 11, 2024

Conversation

anodos325
Copy link
Contributor

@anodos325 anodos325 commented Jul 5, 2024
edited
Loading

Do not rely on Samba to generate a new system SID and make randomized
SID persistent across server changes. This is to help prevent admin
foot-shooting when they choose to make major server changes that force
Samba to regenrate a new SID and thus invalidate their share ACLs.
on production servers.

Since local user / group RID values are deterministic based on the id
key for user / group accounts, populate sid key in user.query and
group.query extend methods. Apply similar logic to short-circuit
SID conversion.

The nt_name key provides little value to API consumers and so remove
for account entries.

Remove subprocess call to net groupmap in favor of using our tdb
utilities to directly alter the group_mapping.tdb file. This generally
performs better and avoids having to synchronize group mappings during
group CRUD methods.

@bugclerk
Copy link
Contributor

bugclerk commented Jul 5, 2024

Jira URL: https://ixsystems.atlassian.net/browse/NAS-129929

@bugclerk bugclerk changed the title Improve handling for local server SID NAS-129929 / 24.10 / Improve handling for local server SID Jul 5, 2024
@anodos325 anodos325 force-pushed the improve-server-sid branch 11 times, most recently from 148129c to 01aeb2b Compare July 8, 2024 17:38
@anodos325
Improve SID handling
ab6945f 
Do not rely on Samba to generate a new system SID and make randomized
SID persistent across server changes. This is to help prevent admin
foot-shooting when they choose to make major server changes that force
Samba to regnerate a new SID and thus invalidate their share ACLs.
on production servers.

Since local user / group RID values are deterministic based on the id
key for user / group accounts, populate `sid` key in user.query and
group.query extend methods. Apply similar logic to short-circuit
SID conversion.

The nt_name key provides little value to API consumers and so remove
for account entries.

Remove subprocess call to `net groupmap` in favor of using our tdb
utilities to directly alter the group_mapping.tdb file. This generally
performs better and avoids having to synchronize group mappings during
group CRUD methods.
@anodos325 anodos325 changed the title NAS-129929 / 24.10 / Improve handling for local server SID NAS-129929 / 24.10 / Improve SID handling Jul 8, 2024
@anodos325 anodos325 removed the WIP label Jul 8, 2024
mgrimesix
mgrimesix reviewed Jul 8, 2024
View reviewed changes
Copy link
Contributor

@mgrimesix mgrimesix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass: Flake8 complaints.
There are unused imports in several modules, but not new.

src/middlewared/middlewared/plugins/idmap.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/plugins/idmap.py Show resolved Hide resolved
src/middlewared/middlewared/plugins/smb_/groupmap.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/pytest/unit/utils/test_groupmap.py Outdated Show resolved Hide resolved
tests/api2/test_smb_groupmap.py Show resolved Hide resolved
@anodos325 anodos325 requested a review from mgrimesix July 9, 2024 13:41
bmeagherix
bmeagherix approved these changes Jul 9, 2024
View reviewed changes
Copy link
Contributor

@bmeagherix bmeagherix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll approve as most of my comments are minor.

src/middlewared/middlewared/plugins/account.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/plugins/idmap.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/plugins/idmap.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/plugins/idmap.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/utils/sid.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/plugins/smb_/passdb.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/pytest/unit/utils/test_groupmap.py Show resolved Hide resolved
src/middlewared/middlewared/pytest/unit/utils/test_groupmap.py Show resolved Hide resolved
src/middlewared/middlewared/pytest/unit/utils/test_sid.py Outdated Show resolved Hide resolved
tests/api2/test_smb_groupmap.py Show resolved Hide resolved
@anodos325 anodos325 merged commit 0934f6c into master Jul 11, 2024
2 of 3 checks passed
@anodos325 anodos325 deleted the improve-server-sid branch July 11, 2024 20:26
@bugclerk
Copy link
Contributor

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators Jul 11, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bmeagherix bmeagherix bmeagherix approved these changes

@mgrimesix mgrimesix Awaiting requested review from mgrimesix

Assignees
No one assigned
Labels
jira no-time-tracked
Projects
None yet
Milestone
No milestone
4 participants
@anodos325 @bugclerk @bmeagherix @mgrimesix