Hold off on 3.2.2 release please.

Jeremy Allison jra at samba.org
Fri Aug 15 02:24:35 GMT 2008 

On Thu, Aug 14, 2008 at 06:27:15PM -0700, Jeremy Allison wrote:
> On Thu, Aug 14, 2008 at 05:03:39PM -0700, Jeremy Allison wrote:
> > I'm tracking a potential show-stopper with Herb w.r.t. group
> > membership order in smbd when using winbindd to auth.
> > 
> > I'll post more when I have more info. Herb is also looking
> > into this tonight.
> 
> Ok, here's the patch that works for Herb so I don't lose it. I'm
> going to check this in later tonight with a full explaination.

Actually, I think this is a better patch - covers all
possible instances of this problem.

The problem is that when smbd authenticates to winbindd
via ntlm, the returned sid group list is sorted in the
reverse order to what smbd expects. Ie. the sid at position
0 in the array is not the primary group sid. This messes
up the primary group associated with created files.

Herb can reproduce this at will. The following patch
needs more testing (ie. I've compiled it but not given
to Herb for testing), so I think we should postpone
3.2.2 until Monday.

Please let me know what you think.

Jeremy.
-------------- next part --------------
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 2024526..a183afb 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -27,6 +27,34 @@
 #define DBGC_CLASS DBGC_AUTH
 
 /****************************************************************************
+ Ensure primary group SID is always at position 0 in a 
+ auth_serversupplied_info struct.
+****************************************************************************/
+
+static void sort_sid_array_for_smbd(auth_serversupplied_info *result,
+				const DOM_SID *pgroup_sid)
+{
+	unsigned int i;
+
+	if (!result->sids) {
+		return;
+	}
+
+	if (sid_compare(&result->sids[0], pgroup_sid)==0) {
+		return;
+	}
+
+	for (i = 1; i < result->num_sids; i++) {
+		if (sid_compare(pgroup_sid,
+				&result->sids[i]) == 0) {
+			sid_copy(&result->sids[i], &result->sids[0]);
+			sid_copy(&result->sids[0], pgroup_sid);
+			return;
+		}
+	}
+}
+
+/****************************************************************************
  Create a UNIX user on demand.
 ****************************************************************************/
 
@@ -1679,6 +1707,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 		return nt_status;
 	}
 
+	/* Ensure the primary group sid is at position 0. */
+	sort_sid_array_for_smbd(result, &group_sid);
+
 	result->login_server = talloc_strdup(result,
 					     info3->base.logon_server.string);
 
@@ -1915,6 +1946,9 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
 		memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
 	}
 
+	/* Ensure the primary group sid is at position 0. */
+	sort_sid_array_for_smbd(result, &group_sid);
+
 	/* ensure we are never given NULL session keys */
 
 	ZERO_STRUCT(zeros);

More information about the samba-technical mailing list