CVS update: samba/source/smbd

Andrew Bartlett abartlet at pcug.org.au
Sat Nov 3 21:14:15 EST 2001 

Jeremy Allison wrote:
> 
> On Sat, Nov 03, 2001 at 02:07:16PM +1100, Andrew Bartlett wrote:
> > Jeremy Allison wrote:
> > >
> > > Date:   Fri Nov  2 18:00:49 2001
> > > Author: jra
> > >
> > > Update of /data/cvs/samba/source/smbd
> > > In directory va:/tmp/cvs-serv27527/smbd
> > >
> > > Modified Files:
> > >       Tag: SAMBA_2_2
> > >         password.c reply.c uid.c
> > > Log Message:
> > > Added extra group info into 2.2.3.
> > > Jeremy.
> >
> > Is this the right way to do things?
> 
> Yes, I think so.
> 
> > What happens if the remote group
> > can't be represented as a local gid_t?
> 
> Then it is ignored when the calculation is done to create a gid_t.

Which brings us back to where we started.

The problem was that users could be denied access to a resource due to
their membership of a global group, but becouse we didn't know about
that membership we didn't deny them access.  

My understanding of the original problem was:
 - ACL can be constructed that use Win2k global groups
 - These groups don't show up via winbind's getgroups() becouse of
protocol limitations, and are only avaliable via the info3 aquired from
a domain logon.
 - Therfore the entry in the ACL is ignored.

With this fix, don't we still have the problem:
 - ACL constructed using groups (need not even be global)
 - These groups are not expressed in the /etc/groups (becouse winbind
doesn't yet exist on SCO etc)
 - Therfore the entry in the ACL is ignored.

> > I think we should do it both ways:  Use the local groups where they are
> > available (becouse there may well be local file premissions associated
> > with them) but also store them in the NT_USER_TOKEN no matter what -
> > becouse many sites run security=domain but without winbind, and they
> > will still have this problem.
> 
> I don't think so. You end up with a disconnect between
> the group lists associated with the uid_t and the group lists
> in the token. This isn't a good idea (IMHO).

I understand the concern, but I think we need to deal with this issue
properly.  I want Samba to run without reference to the local system,
for things like:

 - Non-root mode
 - Non-filesystem VFS.

In particular, the combination of the two.

Would it be sufficient to ensure that NT_USER_TOKEN is always a superset
of the gid_t list?  

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-cvs mailing list