[PATCH] s3: Lookup unknown SIDs in get_primary_group_sid

Andrew Bartlett abartlet at samba.org
Mon Jul 9 17:51:45 MDT 2012 

On Fri, 2012-07-06 at 13:30 -0600, Christof Schmitt wrote:
> christof.schmitt at us.ibm.com wrote on 06/27/2012 12:44:18 PM:
> 
> > When Samba is running as AD member using winbindd for id lookups,
> > each user automatically gets the privilege of the group 'Domain
> > Users'. This happens even when the user has been removed from the
> > group 'Domain Users'.
> > 
> > A trace shows that get_primary_group_sid forces the primary group
> > to be 'Domain Users':
> > 
> > [2012/06/27 21:05:18.700197,  5] lib/username.c:171(Get_Pwnam_alloc)
> >   Finding user VIRTUAL1\testuser1
> > [2012/06/27 21:05:18.700232,  5] lib/username.c:116(Get_Pwnam_internals)
> >   Trying _Get_Pwnam(), username as lowercase is virtual1\testuser1
> > [2012/06/27 21:05:18.700268,  5] lib/username.c:149(Get_Pwnam_internals)
> >   Get_Pwnam_internals did find user [VIRTUAL1\testuser1]!
> > [2012/06/27 21:05:18.700335, 10] passdb/lookup_sid.c:1414(gid_to_sid)
> >   gid 13000514 -> sid S-1-5-21-531246827-3739281486-2559166756-514
> > [2012/06/27 21:05:18.700703, 10] groupdb/mapping_tdb.c:235(find_map)
> >   failed to unpack map
> > [2012/06/27 21:05:18.700950, 10] groupdb/mapping_tdb.c:235(find_map)
> >   failed to unpack map
> > [2012/06/27 21:05:18.701076,  3] 
> > passdb/lookup_sid.c:1759(get_primary_group_sid)
> >   Forcing Primary Group to 'Domain Users' for VIRTUAL1\testuser1
> > 
> > This is caused by get_primary_group_sid calling pdb_gid_to_sid to
> > determine if the group is a mapped group:
> > 
> >                         /* Try group mapping */
> >                         ZERO_STRUCTP(group_sid);
> >                         if (pdb_gid_to_sid(pwd->pw_gid, group_sid)) {
> >                                 need_lookup_sid = true;
> >                         }
> > 
> > Since there is no mapping for arbitrary groups that can be set as
> > primary group, this check fails and get_primary_group_sid reverts
> > to forcing 'Domain Users' as default group.
> > 
> > The attached patch removes this check to let the following code
> > verify the group with lookup_sid. With this patch, access to
> > resources only available to 'Domain Users' is denied for user ids
> > that are not members of the group.
> > 
> > Is this a valid approach to solve the problem?
> 
> Ping. Any comments on the patch?

My main thoughts are 'here be dragons'.  I've not looked over the full
implications, and I do want to encourage cleaning up this code, but my
warning is this:
 - The full complexity in this area has built up over time, with lots of
piecemeal patches to solve one-off issues
 - There is additional complexity from the fact that folks insist on
running both with and without winbind when we are a domain member
 - There are few automated tests for this area.

A patch with an addition to 'make test' to prove it would be much easier
to accept, because even if we do change behaviour, at least we would lay
down a baseline for what the behaviour should be.

In doing that, look closely at the unix.whoami smbtorture test in
source4/torture/unix/whomai.c.  This particular Samba-only protocol
extension gives you an incredibly valuable insight, previously only
available on LDAP against a windows DC:  The user's full token of
SIDs.  

As an example way forward, you could modify the test so that instead of
having the 'addc' be a boolean argument, it could be the string name of
the DC to compare with, and we could assert in this case that the domain
SIDs match.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list