[PATCH] s3: Lookup unknown SIDs in get_primary_group_sid
Christof Schmitt
christof.schmitt at us.ibm.com
Fri Jul 6 13:30:02 MDT 2012
christof.schmitt at us.ibm.com wrote on 06/27/2012 12:44:18 PM:
> When Samba is running as AD member using winbindd for id lookups,
> each user automatically gets the privilege of the group 'Domain
> Users'. This happens even when the user has been removed from the
> group 'Domain Users'.
>
> A trace shows that get_primary_group_sid forces the primary group
> to be 'Domain Users':
>
> [2012/06/27 21:05:18.700197, 5] lib/username.c:171(Get_Pwnam_alloc)
> Finding user VIRTUAL1\testuser1
> [2012/06/27 21:05:18.700232, 5] lib/username.c:116(Get_Pwnam_internals)
> Trying _Get_Pwnam(), username as lowercase is virtual1\testuser1
> [2012/06/27 21:05:18.700268, 5] lib/username.c:149(Get_Pwnam_internals)
> Get_Pwnam_internals did find user [VIRTUAL1\testuser1]!
> [2012/06/27 21:05:18.700335, 10] passdb/lookup_sid.c:1414(gid_to_sid)
> gid 13000514 -> sid S-1-5-21-531246827-3739281486-2559166756-514
> [2012/06/27 21:05:18.700703, 10] groupdb/mapping_tdb.c:235(find_map)
> failed to unpack map
> [2012/06/27 21:05:18.700950, 10] groupdb/mapping_tdb.c:235(find_map)
> failed to unpack map
> [2012/06/27 21:05:18.701076, 3]
> passdb/lookup_sid.c:1759(get_primary_group_sid)
> Forcing Primary Group to 'Domain Users' for VIRTUAL1\testuser1
>
> This is caused by get_primary_group_sid calling pdb_gid_to_sid to
> determine if the group is a mapped group:
>
> /* Try group mapping */
> ZERO_STRUCTP(group_sid);
> if (pdb_gid_to_sid(pwd->pw_gid, group_sid)) {
> need_lookup_sid = true;
> }
>
> Since there is no mapping for arbitrary groups that can be set as
> primary group, this check fails and get_primary_group_sid reverts
> to forcing 'Domain Users' as default group.
>
> The attached patch removes this check to let the following code
> verify the group with lookup_sid. With this patch, access to
> resources only available to 'Domain Users' is denied for user ids
> that are not members of the group.
>
> Is this a valid approach to solve the problem?
Ping. Any comments on the patch?
Regards,
Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-Lookup-unknown-SIDs-in-get_primary_group_sid.patch
Type: application/octet-stream
Size: 1254 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120706/d97b44cb/attachment.obj>
More information about the samba-technical
mailing list