CVS update: samba/source/smbd
Andrew Bartlett
abartlet at pcug.org.au
Sat Nov 3 22:01:17 EST 2001
Jeremy Allison wrote:
>
> On Sat, Nov 03, 2001 at 09:14:15PM +1100, Andrew Bartlett wrote:
> >
> > Which brings us back to where we started.
> >
> > The problem was that users could be denied access to a resource due to
> > their membership of a global group, but becouse we didn't know about
> > that membership we didn't deny them access.
> >
> > My understanding of the original problem was:
> > - ACL can be constructed that use Win2k global groups
> > - These groups don't show up via winbind's getgroups() becouse of
> > protocol limitations, and are only avaliable via the info3 aquired from
> > a domain logon.
> > - Therfore the entry in the ACL is ignored.
>
> The group entries in the info3 that are not returned by
> winbind getgroups() can still be looked up individually via winbind.
> Thus they map into UNIX groups and can be attached to the token.
>
> > With this fix, don't we still have the problem:
> > - ACL constructed using groups (need not even be global)
> > - These groups are not expressed in the /etc/groups (becouse winbind
> > doesn't yet exist on SCO etc)
> > - Therfore the entry in the ACL is ignored.
>
> For machines without winbind these groups will not be
> looked up, yes. But then again without winbind the
> getgroups() will never return the DOMAIN groups mapped
> to local gids.
>
> > I understand the concern, but I think we need to deal with this issue
> > properly. I want Samba to run without reference to the local system,
> > for things like:
> >
> > - Non-root mode
> > - Non-filesystem VFS.
> >
> > In particular, the combination of the two.
> >
> > Would it be sufficient to ensure that NT_USER_TOKEN is always a superset
> > of the gid_t list?
>
> As we're storing Domain SIDs in an unaltered format in the ACL
> databases for printers etc, then it may be better to do this.
> I'd still rather map all that can be mapped though, and only
> leave the non-mappable SID's in the token only.
Agreed.
> This means reverting to a modification of my earlier code,
> that copied the token around. I'll take a look at doing that
> soon.....
>
> Jeremy.
I certainly liked that patch. There doesn't seem much point in the
double-lookup.
It the NT_USER_TOKEN format fixed in stone?
Is there any reason we can't attach the gids (if known) to the same
structure? Somthing like the way I now have optional uid_t and gid_t
values in passdb?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-cvs
mailing list