[Samba] User's groups issue

Ephi Dror Ephi.Dror at datadomain.com
Wed Aug 27 21:41:25 GMT 2008 

Hi Jerry,

I'm moving our discussion to technical list.

I just wanted to point out that I think the code in samlogon_cache.c is incorrect.

It uses the wrong tdb pointer.

Here is the right code to my opinion:

void netsamlogon_clear_cached_user(NET_USER_INFO_3 *user)
{
        DOM_SID sid;
        fstring key_str, sid_string;

        if (!netsamlogon_cache_init()) {
                DEBUG(0,("netsamlogon_clear_cached_user: cannot open %s for write!\n", NETSAMLOGON_TDB));
                return;
        }
        sid_copy(&sid, &user->dom_sid.sid);
        sid_append_rid(&sid, user->user_rid);

        fstr_sprintf(key_str, "%s", sid_to_string(sid_string, &sid));
        DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key_str));

        tdb_delete_bystring(netsamlogon_tdb, key_str);
}

I tested it and it works like a Swiss Watch.

The reason this bug was hidden is because when we store we use TDB_REPLACE
           tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE)

Thanks a lot,
Ephi

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
Sent: Tuesday, August 26, 2008 11:42 AM
To: Ephi Dror
Cc: samba at lists.samba.org
Subject: Re: [Samba] User's groups issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ephi Dror wrote:
> Hello again,
>
> I looked at the code and found out that really the
> only way to have accurate group membership info is
> if one of the following functions are called:
>
> In winbindd_pam.c:
>
> 1. winbindd_dual_pam_auth()
> 2. winbindd_dual_pam_auth_crap()
>
> I would recommend to think about ways to call
> netsamlogon_clear_cached_user() in other places to allow
> none authentication pam functions such as "id" to work well.

The samlogon reply or PAC information is the only completely
accurate view of the user group membership.  Querying AD
is not always guaranteed to work.  So the samlogon cache
takes precendence.  As to an experiation time on the cache
entry, we have never agreed on how this to do this without
potentially deleting information during a valid user session
since applications are not required to call pm_close_session().

Also, the concept of an SMBsession become more difficult to
track in this case.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFItE5bIR7qMdg1EfYRAg6GAKDXUAsBV8qC/qN5DDc/63mObAdEygCg3D27
dFyS9vaRyK4nhTSI1peEJ8M=
=yg0/
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list