On Tue, Aug 9, 2011 at 2:31 PM, <shirishpargaonkar@xxxxxxxxx> wrote: > From: Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx> > > > Add functions to map a uid and gid to a SID. These functions are > similar to SID to uid and gid mapping functions. > A SID is what is returned to the cifs module. > > > Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx> > --- > cifs.idmap.c | 37 +++++++++++++++++++++++++++++++++++++ > 1 files changed, 37 insertions(+), 0 deletions(-) > > diff --git a/cifs.idmap.c b/cifs.idmap.c > index 56edb58..80802d7 100644 > --- a/cifs.idmap.c > +++ b/cifs.idmap.c > @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr) > goto cifs_idmap_ret; > } > > + sidstr = strget(key_descr, "oi:"); > + if (sidstr) { > + uid = atoi(sidstr); > + syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid); > + rc = wbcUidToSid(uid, &sid); > + if (rc) > + syslog(LOG_DEBUG, "uid %d to SID error: %d", uid, rc); > + if (!rc) { /* SID has been mapped to a uid */ > + rc = keyctl_instantiate(key, &sid, > + sizeof(struct wbcDomainSid), 0); > + if (rc) > + syslog(LOG_ERR, "%s: key inst: %s", > + __func__, strerror(errno)); > + } > + > + goto cifs_idmap_ret; > + } > + > + sidstr = strget(key_descr, "gi:"); > + if (sidstr) { > + gid = atoi(sidstr); > + syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid); > + rc = wbcGidToSid(gid, &sid); > + if (rc) > + syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc); > + if (!rc) { /* SID has been mapped to a gid */ > + rc = keyctl_instantiate(key, &sid, > + sizeof(struct wbcDomainSid), 0); > + if (rc) > + syslog(LOG_ERR, "%s: key inst: %s", > + __func__, strerror(errno)); > + } > + > + goto cifs_idmap_ret; > + } > + > + > syslog(LOG_DEBUG, "Invalid key: %s", key_descr); > > cifs_idmap_ret: > -- > 1.6.0.2 > > Jeff, any comments on this? I think this patch and kernel parts of this patchset, should be doing similar to what is done currently for server that support unix extensions. A care is taken so that only the server ids can be assigned as an id to change to, if an id can't be resolved, then chown/chgrp fail and if an id can be resolved, the server is the one which whether to apply the changed security descriptor or not. Regards, Shirish -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html