[PATCH] Fix bug #9878 - force user does not work as expected.

[Ricky Nance]

Andreas, I am betting you have already found this, but I think I have seen
similar issues when nsswitch isn't working as expected. I typically miss
nsswitch setup when I spin up a new machine, and find various gremlins when
its not setup :).

Good luck,
Ricky


On Wed, Mar 19, 2014 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote:

> On Wed, Mar 19, 2014 at 09:39:51AM -0700, Jeremy Allison wrote:
> >
> > OK - here is an attached patch that will dump out what
> > is going wrong. Can you resend me the log with this
> > in place please ?
> >
> > The "force user" patch is good. The issue is that
> > the group resolution for @ntadmin -> &+ntadmin -> Check netgroup
> "ntadmin" followed by UNIX group ntadmin
> > (lookup_name: Unix Group\ntadmin => domain=[Unix Group], name=[ntadmin])
> > isn't matching the token generated for the LEVEL1+Administrator.
> >
> > My guess is mapping 'ntadmin' inside token_contains_name()
> > is mapping to the UNIX S-1-22 group, whereas that for
> > some reason isn't present in the token attached to
> > LEVEL1+Administrator.
> >
> > The reason it works without the "force user" patch
> > is that the token that's being checked inside
> > token_contains_name() will be identical for the
> > forced group lookup of "ntadmin" -> UNIX S-1-22 group
> > (lookup_name: Unix Group\ntadmin => domain=[Unix Group], name=[ntadmin])
> > as that same lookup is being done to create the
> > 'force group token'. I think it's still wrong,
> > but it's checking the same thing.
> >
> > But the extra debugs will tell us more.
>
> Just to follow up (in case anyone cares :-).
>
> Andreas's issue is a problem with his system
> not correctly getting all the correct groups
> attached to his token when the LEVEL1+Administrator
> log in, not a problem with the force user
> fix.
>
> So the patch is good as it stands.
>
> We'll follow up on his issue separately.
>
> Jeremy.
>