[PATCH] Fix bug #9878 - force user does not work as expected.
Jeremy Allison
jra at samba.org
Wed Mar 19 11:25:37 MDT 2014
On Wed, Mar 19, 2014 at 09:39:51AM -0700, Jeremy Allison wrote:
>
> OK - here is an attached patch that will dump out what
> is going wrong. Can you resend me the log with this
> in place please ?
>
> The "force user" patch is good. The issue is that
> the group resolution for @ntadmin -> &+ntadmin -> Check netgroup "ntadmin" followed by UNIX group ntadmin
> (lookup_name: Unix Group\ntadmin => domain=[Unix Group], name=[ntadmin])
> isn't matching the token generated for the LEVEL1+Administrator.
>
> My guess is mapping 'ntadmin' inside token_contains_name()
> is mapping to the UNIX S-1-22 group, whereas that for
> some reason isn't present in the token attached to
> LEVEL1+Administrator.
>
> The reason it works without the "force user" patch
> is that the token that's being checked inside
> token_contains_name() will be identical for the
> forced group lookup of "ntadmin" -> UNIX S-1-22 group
> (lookup_name: Unix Group\ntadmin => domain=[Unix Group], name=[ntadmin])
> as that same lookup is being done to create the
> 'force group token'. I think it's still wrong,
> but it's checking the same thing.
>
> But the extra debugs will tell us more.
Just to follow up (in case anyone cares :-).
Andreas's issue is a problem with his system
not correctly getting all the correct groups
attached to his token when the LEVEL1+Administrator
log in, not a problem with the force user
fix.
So the patch is good as it stands.
We'll follow up on his issue separately.
Jeremy.
More information about the samba-technical
mailing list