SID list population in 3.5.n series

Tom Noonan II thomas.noonan.ii at hp.com
Sat Mar 10 18:23:01 MST 2012


> If you push the debug level up to 10 you will see where it is happening.
Oop, you're right.  The log file I was parsing didn't have them, but I made a
fresh one and now I see it.  I suppose the SID table must have already been
cached in the log I was using.  I don't expect any further support from
samba-technical until I've had a chance to peruse these newly found function
calls.

However, in case anyone has any wise words:
> What specific problem are you trying to overcome?
	My goal is to use NSS groups to control access to shares by domain
joined users.  The ultimate goal is to use NSS to glue in auth from an external
server, so I'm looking for a solution that requires no local user management.
(i.e. adding groups via the net calls would be acceptable as that could be done
when modifying the share ACLs, but adding users would not.)  I don't want to go
into detail about the external server I'm trying to use, so please take my word
that NSS is the least painful route.
	I have my server bound to the domain (security = ads) with winbindd
working, and I am currently using a local group for testing.  When the domain
user logs in I can see their SID table is populated, but does not contain SIDs
generated from local groups.  (Again, local groups are just a test, not the end
goal.)  I'm assuming Samba is simply pulling the list from the AD server, which
is the most logical scenario, so the SID list obviously does not contain any
non-AD SIDs. A locally defined user contains SIDs for local groups, as is
expected.
	When the AD user tries to access the test share secured via a non-AD
group access is denied.  Samba properly looks up the SID for the group, but
since that SID is not in the AD user's SID list it denies access.
	What I'm trying to determine is what logic Samba uses to generate the
group SIDs for a AD user.  I'm looking to see if there is a tunable that would
force Samba to generate SIDs for AD users from NSS, and, if not, how difficult
it would be to add one.  I am again focused on NSS as I believe it to be the
most flexible and easily maintainable way to solve my problem.

-- 
Tom Noonan II
ESL Technician - Randstad


On Sat, 10 Mar 2012 01:10:17 +0000
Jeremy Allison <jra at samba.org> wrote:

> On Fri, Mar 09, 2012 at 03:01:57PM -0800, Richard Sharpe wrote:
> > On Fri, Mar 9, 2012 at 10:44 AM, Tom Noonan II <thomas.noonan.ii at hp.com>
> > wrote:
> > > Can someone familar with the 3.5.n series help me find where the list of
> > > SIDs in the NT_USER_TOKEN struct is populated when a connection is
> > > opened?  I'm having a heck of a time finding it on my own.
> > >
> > > In case there are multiple code paths, I'm interested in SID population
> > > from the glibc name service calls (I believe getgrouplist() in
> > > lib/system_smbd.c but I may be mistaken) and SID population for ADS
> > > domain users.
> > 
> > If you push the debug level up to 10 you will see where it is happening.
> > 
> > What specific problem are you trying to overcome?
> > 
> > There are multiple code paths, by the way, and an anon login is
> > inferior to a normal login.
> 
> Richard is correct that a debug level 10 will help here.
> 
> It can also depend on whether winbindd is running. Can
> you give us more information, or feel free to contact
> Richard and I privately if that's easier.
> 
> Jeremy.



-- 
Tom Noonan II
ESL Technician - Randstad


More information about the samba-technical mailing list