[PATCH] s3: Lookup unknown SIDs in get_primary_group_sid

Christof Schmitt christof.schmitt at us.ibm.com
Wed Jun 27 13:44:18 MDT 2012


When Samba is running as AD member using winbindd for id lookups,
each user automatically gets the privilege of the group 'Domain
Users'. This happens even when the user has been removed from the
group 'Domain Users'.

A trace shows that get_primary_group_sid forces the primary group
to be 'Domain Users':

[2012/06/27 21:05:18.700197,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user VIRTUAL1\testuser1
[2012/06/27 21:05:18.700232,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is virtual1\testuser1
[2012/06/27 21:05:18.700268,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [VIRTUAL1\testuser1]!
[2012/06/27 21:05:18.700335, 10] passdb/lookup_sid.c:1414(gid_to_sid)
  gid 13000514 -> sid S-1-5-21-531246827-3739281486-2559166756-514
[2012/06/27 21:05:18.700703, 10] groupdb/mapping_tdb.c:235(find_map)
  failed to unpack map
[2012/06/27 21:05:18.700950, 10] groupdb/mapping_tdb.c:235(find_map)
  failed to unpack map
[2012/06/27 21:05:18.701076,  3] 
passdb/lookup_sid.c:1759(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for VIRTUAL1\testuser1

This is caused by get_primary_group_sid calling pdb_gid_to_sid to
determine if the group is a mapped group:

                        /* Try group mapping */
                        ZERO_STRUCTP(group_sid);
                        if (pdb_gid_to_sid(pwd->pw_gid, group_sid)) {
                                need_lookup_sid = true;
                        }

Since there is no mapping for arbitrary groups that can be set as
primary group, this check fails and get_primary_group_sid reverts
to forcing 'Domain Users' as default group.

The attached patch removes this check to let the following code
verify the group with lookup_sid. With this patch, access to
resources only available to 'Domain Users' is denied for user ids
that are not members of the group.

Is this a valid approach to solve the problem?



Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-Lookup-unknown-SIDs-in-get_primary_group_sid.patch
Type: application/octet-stream
Size: 1254 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120627/63913bf8/attachment.obj>


More information about the samba-technical mailing list