[PATCH] s3: Lookup unknown SIDs in get_primary_group_sid
Christof Schmitt
christof.schmitt at us.ibm.com
Wed Jul 11 17:24:57 MDT 2012
Andrew Bartlett <abartlet at samba.org> wrote on 07/09/2012 04:51:45 PM:
> My main thoughts are 'here be dragons'. I've not looked over the full
> implications, and I do want to encourage cleaning up this code, but my
> warning is this:
> - The full complexity in this area has built up over time, with lots of
> piecemeal patches to solve one-off issues
> - There is additional complexity from the fact that folks insist on
> running both with and without winbind when we are a domain member
> - There are few automated tests for this area.
>
> A patch with an addition to 'make test' to prove it would be much easier
> to accept, because even if we do change behaviour, at least we would lay
> down a baseline for what the behaviour should be.
>
> In doing that, look closely at the unix.whoami smbtorture test in
> source4/torture/unix/whomai.c. This particular Samba-only protocol
> extension gives you an incredibly valuable insight, previously only
> available on LDAP against a windows DC: The user's full token of
> SIDs.
>
> As an example way forward, you could modify the test so that instead of
> having the 'addc' be a boolean argument, it could be the string name of
> the DC to compare with, and we could assert in this case that the domain
> SIDs match.
The unix.whoami tests looks useful. I added the attached patch to
print the list of SIDs. With this i see the same behavior in
get_primary_group_sid. Without my patch, the Domain Users SID is
silently added for both cases, the regular user and the
guest. With the patch, the Domain Users SID is no longer added.
I am thinking along the lines of extending unix.whoami to
explicitly check if a certain SID is part of the list or is not
part of the list. The selftest could then verify that the guest
has access to S-1-5-32-546, but not S-1-5-32-545. I have not
found a way to get to the domain SIDs or the SID for Domain
Users, so using the well-known SIDs might be an easier option.
This is the output Without the patch for get_primary_group_sid:
test: samba3.unix.whoami.whoami(s3dc)
time: 2012-07-11 15:06:45.481150Z
mapping_flags=0x00000000 mapping_mask=0x00000001
server UID=500 GID=501
2 GIDs, 9 SIDs, 156 SID bytes
SIDs:
S-1-5-21-3819427561-1967558791-57781718-1000
S-1-5-21-3819427561-1967558791-57781718-513
S-1-22-2-501
S-1-1-0
S-1-5-2
S-1-5-11
S-1-5-32-545
S-1-22-1-500
S-1-22-2-100002
mapping_flags=0x00000000 mapping_mask=0x00000001
server UID=500 GID=501
0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... NO
time: 2012-07-11 15:06:45.712511Z
successful: samba3.unix.whoami.whoami(s3dc)
test: samba3.unix.whoami anonymous connection.whoami(s3dc)
time: 2012-07-11 15:06:45.780663Z
mapping_flags=0x00000001 mapping_mask=0x00000001
server UID=65533 GID=65534
1 GIDs, 9 SIDs, 172 SID bytes
SIDs:
S-1-5-21-3819427561-1967558791-57781718-501
S-1-5-21-3819427561-1967558791-57781718-513
S-1-5-21-3819427561-1967558791-57781718-546
S-1-1-0
S-1-5-2
S-1-5-32-546
S-1-5-32-545
S-1-22-1-65533
S-1-22-2-100002
mapping_flags=0x00000001 mapping_mask=0x00000001
server UID=65533 GID=65534
0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... YES
time: 2012-07-11 15:06:45.803632Z
successful: samba3.unix.whoami anonymous connection.whoami(s3dc)
And with patch for get_primary_group_sid:
test: samba3.unix.whoami.whoami(s3dc)
time: 2012-07-11 15:43:02.222978Z
mapping_flags=0x00000000 mapping_mask=0x00000001
server UID=500 GID=501
1 GIDs, 6 SIDs, 96 SID bytes
SIDs:
S-1-5-21-3310880130-3256763098-1914790447-1000
S-1-22-2-501
S-1-1-0
S-1-5-2
S-1-5-11
S-1-22-1-500
mapping_flags=0x00000000 mapping_mask=0x00000001
server UID=500 GID=501
0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... NO
time: 2012-07-11 15:43:03.032353Z
successful: samba3.unix.whoami.whoami(s3dc)
test: samba3.unix.whoami anonymous connection.whoami(s3dc)
time: 2012-07-11 15:43:03.080155Z
mapping_flags=0x00000001 mapping_mask=0x00000001
server UID=65533 GID=65534
1 GIDs, 8 SIDs, 156 SID bytes
SIDs:
S-1-5-21-3310880130-3256763098-1914790447-501
S-1-5-21-3310880130-3256763098-1914790447-65534
S-1-5-21-3310880130-3256763098-1914790447-546
S-1-1-0
S-1-5-2
S-1-5-32-546
S-1-22-1-65533
S-1-22-2-100002
mapping_flags=0x00000001 mapping_mask=0x00000001
server UID=65533 GID=65534
0 GIDs, 0 SIDs, 0 SID bytes
checking whether we were logged in as guest... YES
time: 2012-07-11 15:43:03.090685Z
successful: samba3.unix.whoami anonymous connection.whoami(s3dc)
Regards,
Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-torture-Print-SIDs-as-additional-debug-output-in-uni.patch
Type: application/octet-stream
Size: 1047 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120711/643d1081/attachment.obj>
More information about the samba-technical
mailing list