[PATCH] s3: Lookup unknown SIDs in get_primary_group_sid

Christof Schmitt christof.schmitt at us.ibm.com
Wed Jul 11 17:24:57 MDT 2012 

Andrew Bartlett <abartlet at samba.org> wrote on 07/09/2012 04:51:45 PM:

> My main thoughts are 'here be dragons'.  I've not looked over the full
> implications, and I do want to encourage cleaning up this code, but my
> warning is this:
>  - The full complexity in this area has built up over time, with lots of
> piecemeal patches to solve one-off issues
>  - There is additional complexity from the fact that folks insist on
> running both with and without winbind when we are a domain member
>  - There are few automated tests for this area.
> 
> A patch with an addition to 'make test' to prove it would be much easier
> to accept, because even if we do change behaviour, at least we would lay
> down a baseline for what the behaviour should be.
> 
> In doing that, look closely at the unix.whoami smbtorture test in
> source4/torture/unix/whomai.c.  This particular Samba-only protocol
> extension gives you an incredibly valuable insight, previously only
> available on LDAP against a windows DC:  The user's full token of
> SIDs. 
> 
> As an example way forward, you could modify the test so that instead of
> having the 'addc' be a boolean argument, it could be the string name of
> the DC to compare with, and we could assert in this case that the domain
> SIDs match.

The unix.whoami tests looks useful. I added the attached patch to
print the list of SIDs. With this i see the same behavior in
get_primary_group_sid. Without my patch, the Domain Users SID is
silently added for both cases, the regular user and the
guest. With the patch, the Domain Users SID is no longer added.

I am thinking along the lines of extending unix.whoami to
explicitly check if a certain SID is part of the list or is not
part of the list. The selftest could then verify that the guest
has access to S-1-5-32-546, but not S-1-5-32-545. I have not
found a way to get to the domain SIDs or the SID for Domain
Users, so using the well-known SIDs might be an easier option.

This is the output Without the patch for get_primary_group_sid:

test: samba3.unix.whoami.whoami(s3dc)
time: 2012-07-11 15:06:45.481150Z
        mapping_flags=0x00000000 mapping_mask=0x00000001
        server UID=500 GID=501
        2 GIDs, 9 SIDs, 156 SID bytes
        SIDs:
                S-1-5-21-3819427561-1967558791-57781718-1000
                S-1-5-21-3819427561-1967558791-57781718-513
                S-1-22-2-501
                S-1-1-0
                S-1-5-2
                S-1-5-11
                S-1-5-32-545
                S-1-22-1-500
                S-1-22-2-100002
        mapping_flags=0x00000000 mapping_mask=0x00000001
        server UID=500 GID=501
        0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... NO
time: 2012-07-11 15:06:45.712511Z
successful: samba3.unix.whoami.whoami(s3dc)

test: samba3.unix.whoami anonymous connection.whoami(s3dc)
time: 2012-07-11 15:06:45.780663Z
        mapping_flags=0x00000001 mapping_mask=0x00000001
        server UID=65533 GID=65534
        1 GIDs, 9 SIDs, 172 SID bytes
        SIDs:
                S-1-5-21-3819427561-1967558791-57781718-501
                S-1-5-21-3819427561-1967558791-57781718-513
                S-1-5-21-3819427561-1967558791-57781718-546
                S-1-1-0
                S-1-5-2
                S-1-5-32-546
                S-1-5-32-545
                S-1-22-1-65533
                S-1-22-2-100002
        mapping_flags=0x00000001 mapping_mask=0x00000001
        server UID=65533 GID=65534
        0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... YES
time: 2012-07-11 15:06:45.803632Z
successful: samba3.unix.whoami anonymous connection.whoami(s3dc)

And with patch for get_primary_group_sid:

test: samba3.unix.whoami.whoami(s3dc)
time: 2012-07-11 15:43:02.222978Z
        mapping_flags=0x00000000 mapping_mask=0x00000001
        server UID=500 GID=501
        1 GIDs, 6 SIDs, 96 SID bytes
        SIDs:
                S-1-5-21-3310880130-3256763098-1914790447-1000
                S-1-22-2-501
                S-1-1-0
                S-1-5-2
                S-1-5-11
                S-1-22-1-500
        mapping_flags=0x00000000 mapping_mask=0x00000001
        server UID=500 GID=501
        0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... NO
time: 2012-07-11 15:43:03.032353Z
successful: samba3.unix.whoami.whoami(s3dc)

test: samba3.unix.whoami anonymous connection.whoami(s3dc)
time: 2012-07-11 15:43:03.080155Z
        mapping_flags=0x00000001 mapping_mask=0x00000001
        server UID=65533 GID=65534
        1 GIDs, 8 SIDs, 156 SID bytes
        SIDs:
                S-1-5-21-3310880130-3256763098-1914790447-501
                S-1-5-21-3310880130-3256763098-1914790447-65534
                S-1-5-21-3310880130-3256763098-1914790447-546
                S-1-1-0
                S-1-5-2
                S-1-5-32-546
                S-1-22-1-65533
                S-1-22-2-100002
        mapping_flags=0x00000001 mapping_mask=0x00000001
        server UID=65533 GID=65534
        0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... YES
time: 2012-07-11 15:43:03.090685Z
successful: samba3.unix.whoami anonymous connection.whoami(s3dc)

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-torture-Print-SIDs-as-additional-debug-output-in-uni.patch
Type: application/octet-stream
Size: 1047 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120711/643d1081/attachment.obj>

More information about the samba-technical mailing list