CVS update: samba/source/smbd

Andrew Bartlett abartlet at pcug.org.au
Sat Nov 3 22:01:17 EST 2001 

Jeremy Allison wrote:
> 
> On Sat, Nov 03, 2001 at 09:14:15PM +1100, Andrew Bartlett wrote:
> >
> > Which brings us back to where we started.
> >
> > The problem was that users could be denied access to a resource due to
> > their membership of a global group, but becouse we didn't know about
> > that membership we didn't deny them access.
> >
> > My understanding of the original problem was:
> >  - ACL can be constructed that use Win2k global groups
> >  - These groups don't show up via winbind's getgroups() becouse of
> > protocol limitations, and are only avaliable via the info3 aquired from
> > a domain logon.
> >  - Therfore the entry in the ACL is ignored.
> 
> The group entries in the info3 that are not returned by
> winbind getgroups() can still be looked up individually via winbind.
> Thus they map into UNIX groups and can be attached to the token.
> 
> > With this fix, don't we still have the problem:
> >  - ACL constructed using groups (need not even be global)
> >  - These groups are not expressed in the /etc/groups (becouse winbind
> > doesn't yet exist on SCO etc)
> >  - Therfore the entry in the ACL is ignored.
> 
> For machines without winbind these groups will not be
> looked up, yes. But then again without winbind the
> getgroups() will never return the DOMAIN groups mapped
> to local gids.
> 
> > I understand the concern, but I think we need to deal with this issue
> > properly.  I want Samba to run without reference to the local system,
> > for things like:
> >
> >  - Non-root mode
> >  - Non-filesystem VFS.
> >
> > In particular, the combination of the two.
> >
> > Would it be sufficient to ensure that NT_USER_TOKEN is always a superset
> > of the gid_t list?
> 
> As we're storing Domain SIDs in an unaltered format in the ACL
> databases for printers etc, then it may be better to do this.
> I'd still rather map all that can be mapped though, and only
> leave the non-mappable SID's in the token only.

Agreed.

> This means reverting to a modification of my earlier code,
> that copied the token around. I'll take a look at doing that
> soon.....
> 
> Jeremy.

I certainly liked that patch.  There doesn't seem much point in the
double-lookup.

It the NT_USER_TOKEN format fixed in stone?

Is there any reason we can't attach the gids (if known) to the same
structure?  Somthing like the way I now have optional uid_t and gid_t
values in passdb?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-cvs mailing list