[PATCH] s3: Lookup unknown SIDs in get_primary_group_sid

Christof Schmitt christof.schmitt at us.ibm.com
Fri Jul 6 13:30:02 MDT 2012 

christof.schmitt at us.ibm.com wrote on 06/27/2012 12:44:18 PM:

> When Samba is running as AD member using winbindd for id lookups,
> each user automatically gets the privilege of the group 'Domain
> Users'. This happens even when the user has been removed from the
> group 'Domain Users'.
> 
> A trace shows that get_primary_group_sid forces the primary group
> to be 'Domain Users':
> 
> [2012/06/27 21:05:18.700197,  5] lib/username.c:171(Get_Pwnam_alloc)
>   Finding user VIRTUAL1\testuser1
> [2012/06/27 21:05:18.700232,  5] lib/username.c:116(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is virtual1\testuser1
> [2012/06/27 21:05:18.700268,  5] lib/username.c:149(Get_Pwnam_internals)
>   Get_Pwnam_internals did find user [VIRTUAL1\testuser1]!
> [2012/06/27 21:05:18.700335, 10] passdb/lookup_sid.c:1414(gid_to_sid)
>   gid 13000514 -> sid S-1-5-21-531246827-3739281486-2559166756-514
> [2012/06/27 21:05:18.700703, 10] groupdb/mapping_tdb.c:235(find_map)
>   failed to unpack map
> [2012/06/27 21:05:18.700950, 10] groupdb/mapping_tdb.c:235(find_map)
>   failed to unpack map
> [2012/06/27 21:05:18.701076,  3] 
> passdb/lookup_sid.c:1759(get_primary_group_sid)
>   Forcing Primary Group to 'Domain Users' for VIRTUAL1\testuser1
> 
> This is caused by get_primary_group_sid calling pdb_gid_to_sid to
> determine if the group is a mapped group:
> 
>                         /* Try group mapping */
>                         ZERO_STRUCTP(group_sid);
>                         if (pdb_gid_to_sid(pwd->pw_gid, group_sid)) {
>                                 need_lookup_sid = true;
>                         }
> 
> Since there is no mapping for arbitrary groups that can be set as
> primary group, this check fails and get_primary_group_sid reverts
> to forcing 'Domain Users' as default group.
> 
> The attached patch removes this check to let the following code
> verify the group with lookup_sid. With this patch, access to
> resources only available to 'Domain Users' is denied for user ids
> that are not members of the group.
> 
> Is this a valid approach to solve the problem?

Ping. Any comments on the patch?

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-Lookup-unknown-SIDs-in-get_primary_group_sid.patch
Type: application/octet-stream
Size: 1254 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120706/d97b44cb/attachment.obj>

More information about the samba-technical mailing list