Proposal for smbd failing more gracefully when ngroups > NGROUPS_MAX

Michael Steffens michael.steffens at hp.com
Mon Mar 17 14:46:11 GMT 2003


Hello,

The "[Samba] number of groups of NT account causes authentication
problems" thread discussed the problem of dealing with NT users,
which are members of more domain global groups than the OS running
Samba can cope with.

Limits do vary, some have 16, or 20, or 32, with some platforms it's
tunable, with others it isn't, or only with very much trouble.

How about making smbd a bit more tolerant concerning groups? If the
total number returned by winbind for a given user exceeds maximum,
it may drop all but the primary group.

This would at least allow to cope with such users in setups where
access control is only done via "valid users", plus "force group"
for common access.

Users who got their supplementary groups stripped this way would not
be able to utilize their memberships when using ACLs. This should
represent a fail-to-close, except when "others" is having more
privileges than specific groups.

Would this be acceptable? It's is not ideal, of course, but maybe
better than no way of dealing with such users?

Attached is a little patch implementing this in 2.2.8.

Cheers!
Michael



-------------- next part --------------
Index: source/nsswitch/wb_client.c
===================================================================
RCS file: /cvsroot/samba/source/nsswitch/wb_client.c,v
retrieving revision 1.5.2.19
diff -u -r1.5.2.19 wb_client.c
--- source/nsswitch/wb_client.c	13 Sep 2002 23:46:27 -0000	1.5.2.19
+++ source/nsswitch/wb_client.c	17 Mar 2003 14:11:29 -0000
@@ -325,6 +325,15 @@
 			ngroups++;
 		}
 
+		/* Omit supplementary groups when exceeding maximum */
+
+		if (ngroups > groups_max()) {
+			DEBUG(1,("number of group memberships (%d) for user %s exceeds maximum %d, restricting to gid %d\n",
+				ngroups, user, groups_max(), gid));
+			groups[0] = gid;
+			ngroups = 1;
+		}
+
 		/* Set the groups */
 
 		if (sys_setgroups(ngroups, groups) == -1) {
Index: source/smbd/sec_ctx.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/sec_ctx.c,v
retrieving revision 1.7.2.19
diff -u -r1.7.2.19 sec_ctx.c
--- source/smbd/sec_ctx.c	16 Jul 2002 01:09:44 -0000	1.7.2.19
+++ source/smbd/sec_ctx.c	17 Mar 2003 14:11:29 -0000
@@ -343,7 +343,7 @@
 	gain_root();
 
 #ifdef HAVE_SETGROUPS
-	sys_setgroups(ngroups, groups);
+	sys_setgroups((ngroups > groups_max() ? 0 : ngroups), groups);
 #endif
 
 	ctx_p->ngroups = ngroups;
@@ -419,7 +419,7 @@
 	prev_ctx_p = &sec_ctx_stack[sec_ctx_stack_ndx];
 
 #ifdef HAVE_SETGROUPS
-	sys_setgroups(prev_ctx_p->ngroups, prev_ctx_p->groups);
+	sys_setgroups((prev_ctx_p->ngroups > groups_max() ? 0 : prev_ctx_p->ngroups), prev_ctx_p->groups);
 #endif
 
 	become_id(prev_ctx_p->uid, prev_ctx_p->gid);


More information about the samba-technical mailing list