CVS update: samba/source/smbd

Sat Nov 3 06:03:05 GMT 2001

Moved over to samba-technical....

On Sat, 3 Nov 2001, Andrew Bartlett wrote:

> > > > Modified Files:
> > > >       Tag: SAMBA_2_2
> > > >         password.c reply.c uid.c
> > > > Log Message:
> > > > Added extra group info into 2.2.3.
> > > > Jeremy.
> > >
> > > Is this the right way to do things?
> >
> > Yes, I think so.
> >
> > > What happens if the remote group
> > > can't be represented as a local gid_t?
> >
> > Then it is ignored when the calculation is done
> > to create a gid_t.
>
> Which brings us back to where we started.
>
> The problem was that users could be denied access to a resource due to
> their membership of a global group, but becouse we didn't know about
> that membership we didn't deny them access.
>
> My understanding of the original problem was:
>  - ACL can be constructed that use Win2k global groups
>  - These groups don't show up via winbind's getgroups() becouse of
> protocol limitations, and are only avaliable via the info3 aquired from
> a domain logon.
>  - Therfore the entry in the ACL is ignored.
>
> With this fix, don't we still have the problem:
>  - ACL constructed using groups (need not even be global)
>  - These groups are not expressed in the /etc/groups (becouse winbind
> doesn't yet exist on SCO etc)
>  - Therfore the entry in the ACL is ignored.
>
> > > I think we should do it both ways:  Use the local groups where they are
> > > available (becouse there may well be local file premissions associated
> > > with them) but also store them in the NT_USER_TOKEN no matter what -
> > > becouse many sites run security=domain but without winbind, and they
> > > will still have this problem.
> >
> > I don't think so. You end up with a disconnect between
> > the group lists associated with the uid_t and the group lists
> > in the token. This isn't a good idea (IMHO).
>
> I understand the concern, but I think we need to deal with this issue
> properly.  I want Samba to run without reference to the local system,
> for things like:
>
>  - Non-root mode
>  - Non-filesystem VFS.

The "without reference to the local system" bother me a little.
I understand why you would want this for the build farm, but I
am not convinced it would be good for a production system

> In particular, the combination of the two.
>
> Would it be sufficient to ensure that NT_USER_TOKEN is always a
> superset of the gid_t list?

Could you convince me of

  * a good reason (example) of why this is needed
  * the impact of it on the existing model of
    failing on unknown SIDs.

cheers, jerry
 ---------------------------------------------------------------------
 www.samba.org              SAMBA Team              jerry_at_samba.org
 www.plainjoe.org                                jerry_at_plainjoe.org
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--