'force user' broken for winbind users?

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Jan 13 09:17:17 GMT 2006 

On Thu, Jan 12, 2006 at 09:28:01PM -0600, Gerald (Jerry) Carter wrote:
> I thought it was only the uid?  Been too long since I looked at
> that code I guess.

We have the following code in smbd/service.c:

                /* Find all the groups this uid is in and
                   store them. Used by change_to_user() */
                initialise_groups(conn->user, conn->uid, conn->gid);
                get_current_groups(conn->gid, &conn->ngroups,&conn->groups);

initialise_groups will call out to wb_getgroups if it finds the separator. And
this will fail in many current domain setups.

> I don't think this is realistic.  I think people will want
> to use domain users in 'force user'.  I would rather know
> when and why we started using the group member ship of
> the forced user instead of just the uid.

Ok, this is *ancient*, it's from pre-CVS(!) times. In 
http://cvs.samba.org/cgi-bin/cvsweb/samba/source/smbd/service.c?rev=1.1 I found

	if (!IS_IPC(conn)) {
		/* Find all the groups this uid is in and
		   store them. Used by become_user() */
		setup_groups(conn->user,conn->uid,conn->gid,
			     &conn->ngroups,&conn->groups);

It has evolved, but this is the core to get the group list, and this is done
after the check for lp_force_user().

Even force user alone might be difficult, as we might have no way to find the
primary group. Getting the user sid and thus a uid is always possible,
lsa_lookupnames works. The case where we can't find the user info might be when
force user is set to a trusted domain. This is a probably very rare scenario in
which case we could fall back to our own domain's domain users group I think.

I'd be much more happy if we could restrict it to just the uid, within current
domain setups getting the list of gid's is just not reliable with winbind.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/81c401bc/attachment.bin

More information about the samba-technical mailing list