selftest: re-enable nss_winbind via nss_wrapper in the test-envs.

Andrew Bartlett abartlet at samba.org
Tue Feb 17 14:09:50 MST 2015 

On Tue, 2015-02-17 at 21:17 +0100, Michael Adam wrote:
> On 2015-02-18 at 07:27 +1300, Andrew Bartlett wrote:
> > On Tue, 2015-02-17 at 18:32 +0100, Michael Adam wrote:
> > > On 2015-02-17 at 18:27 +0100, Michael Adam wrote:
> > > > On 2015-02-17 at 18:09 +0100, Stefan (metze) Metzmacher wrote:
> > > > > Hi Michael,
> > > > > 
> > > > > > diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
> > > > > > index 1603321..3e2397d 100644
> > > > > > --- a/python/samba/provision/__init__.py
> > > > > > +++ b/python/samba/provision/__init__.py
> > > > > > @@ -1476,8 +1476,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
> > > > > >          return samdb
> > > > > >  
> > > > > >  
> > > > > > -SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> > > > > > -POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> > > > > > +SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001200a9;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> > > > > > +POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001200a9;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> > > > > >  SYSVOL_SERVICE="sysvol"
> > > > > 
> > > > > Aren't these the hardcoded values windows clients expect to be there?
> > > > 
> > > > Could be. That is why I was asking for experts (like you) to
> > > > comment! :-)
> > > > 
> > > > > I guess changing them, just to let our test pass is wrong.
> > > > 
> > > > Ok. Does that mean the ACE values for the owner are completely
> > > > random? And the previous patch that does not adapt the NT ACL
> > > > but simply adapte the posix checks to the values that let
> > > > the test pass is better/correct?
> > > 
> > > More concretely, the attached patch..
> > 
> > This is much more like what I expected the fix to be (changing NSS
> > mappings might change some aspect of the stored posix ACL), but why does
> > the permission change from 6 to 7 (adding execute?)
> 
> I don't really have a clue. I had hoped someone here has. :)
> The only idea I have is that the domain admin now having an
> nss entity with the same UID Number as the calling user (root),
> this might be related to the domain admin being member of the
> builtin administrators group which gets full access by the acls.
> Not sure what the acl mapping code really does here.
> I'd need to find some time to dive through it.
> 
> Since the environment is *now* as it should be (with
> libnss_winbindd active), I think we can as well push
> the patch for a start.

If we can't get to the bottom of it during this thread, I would rather
we reverted the original patch until we do.  This area *is* tricky, and
the reason I added all the tests wasn't because I fully understood it
either, but because I wanted to nail down the behaviour so we noticed if
we changed it.  Previously we never noticed at all, it could change
unintentionally as happened here, and that worried me.

> But it still leaves me with a strange feeling:
> 
> - Why does provision give root's uid to the domain admin?
>   This seems to be a bug/bad thing to do.

So that the kernel gives administrator the kind of powers you would
expect it to have, like the ability to change ownerships. 

> - Why does the sysvol ACL not specify ACEs for the owner/
>   for the domain admin. It seems to be slightly strange
>   for the test to check the resulting acl for specific
>   entries for this entity since this seems to be random
>   to some extent, since apparently external influcences
>   come into play here?! ...

The ACLs come from Windows, so the test needs to ensure that given that
ACL, we have a deterministic result on the sysvol share, given that the
posix ACL is what the users will end up being restricted by.

It isn't good that adding an nss module changes it, but we need to
understand the change, not just codify it as the new normal.  

Given this, I think it is important we run the test with and without
nss_winbind, and ensure it doesn't change either way. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150218/312b4c85/attachment.pgp>

More information about the samba-technical mailing list