[Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups
Brian H. Nelson
bhnelson at ysu.edu
Thu Oct 3 08:37:07 MDT 2013
Can anyone with knowledge about this issue offer any comment? Somebody
has to have an idea about it, good or bad.
Thanks,
Brian
On 9/11/2013 2:20 PM, Brian H. Nelson wrote:
> I'm trying to solve this issue I'm having where using 'valid users =
> +unixgroup' just plain doesn't work. I can't find any /documented/
> reason why this is so, but nevertheless, it seems to be the case. This
> is with samba 3.6.18, but seems to exist in all of 3.6.x and most or
> all of 3.5.x and perhaps earlier as well (see bug #6681).
>
> From what I can tell, the underlying reason it doesn't work is because
> create_local_nt_token_from_info3 doesn't seem to populate the user's
> token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm
> not sure exactly why this is the case; the code is a bit complicated.
>
> Ironically, if the user is explicitly mapped (username map in
> smb.conf) then it *does* work. This seems to be because an
> explicitly-mapped user will follow a different code path and end up
> using create_token_from_username which /does/ pull local UNIX groups.
>
> I don't understand why there is a difference in behavior between
> explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name
> maps to local user 'name' via idmap_nss, or some other facility). I
> would think that either case should ultimately end with the same result.
>
> This seems like a very major and long-standing problem to just be a
> bug. As such I feel like I'm missing something. Can a dev or somebody
> with a better understanding of the code fill me in?
>
> Here are some reference links that sound related:
> https://bugzilla.samba.org/show_bug.cgi?id=6681
> http://marc.info/?l=samba&m=135879161014066&w=2
> http://marc.info/?l=samba&m=120886782118153&w=2
>
> Thanks,
> Brian
>
--
----------------------------------------
Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University
bhnelson[at]ysu[dot]edu
----------------------------------------
More information about the samba
mailing list