[RFC] adding a fixed gid to the unix process token in smbd and other servers

Uri Simchoni urisimchoni at gmail.com
Tue Jul 21 20:45:06 UTC 2015 

Hi,

This patch set adds the ability to add a gid to the UNIX process token
of smbd, as well as other servers (assuming they use getgrouplist()
and nsswitch is using nss_winbind). This is analogous to the Everyone
(S-1-1-0) SID and a bunch of other SIDs that get added to the NT
token.

For smbd, the "Everyone" (S-1-1-0) SID is added to every token. The
idea is to perform group mapping of "Everyone" (SID S-1-1-0) to some
unix group id, and then let smbd translate that SID into the gid.
Unfortunately, this was not supported for pdb backends that use local
group mapping for well-known and builtin SIDs, and the first part of
the patch set changes that.

The patch changes the default for the whole pdb interface, because the
default sid->xid for pdb interface is to use local group mapping (in
case of builtin/well known SIDs). Changing default behavior in this
way certainly is alarming, but I could not find a reason for it to be
the way it is now - I would be happy to stand corrected (sent an email
about it yesterday).

For other servers, the other parts of this patch set add functionality
to winbindd to mimic smbd's behavior when doing getgrouplist() - it
allows winbindd to add some SIDs to the list of SIDs obtained from the
backend, before translating the whole bunch to gids (and the first
patch and the group mapping let S-1-1-0 be translated).

I could also use some pointers about testing - My idea is to have a
black-box test that runs wbinfo without and with the added sids, and
verifies added groups. I can see there are some wbinfo tests, but I
need the test to configure smb.conf and do group mapping - was
wondering whether there's a "standard" way of doing it. Also should I
cleanup the env (group mapping, changes to smb.conf) before ending the
test or is it the job of make test to clean up between tests.

Thanks,
Uri
-------------- next part --------------
From 3bf116ecdb98fba75134cf07ddd09db6ce80a08b Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni at gmail.com>
Date: Mon, 20 Jul 2015 09:29:28 +0300
Subject: [PATCH 1/3] passdb: change default of
 pdb_is_responsible_for_wellknown()

Well-knwon domain SIDs such as S-1-5 (NT Authority) are bases
for some alias SIDs that get added to the security token of
logged-on users, such as S-1-5-11 (NT Authority\Authenticated Users).

If a local group mapping of one of those added SIDs to a unix
group exists, this patch allows this mapping to occur (in the
same manner as BUILTIN domain SIDs get mapped), so that the
UNIX process token of an smbd session will include the
respective UNIX group id of the added SID.

Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
---
 source3/passdb/pdb_interface.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index d67e04e..e4e1277 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -2458,7 +2458,7 @@ static bool pdb_default_is_responsible_for_builtin(
 static bool pdb_default_is_responsible_for_wellknown(
 					struct pdb_methods *methods)
 {
-	return false;
+	return true;
 }
 
 static bool pdb_default_is_responsible_for_unix_users(
-- 
1.9.1


From 4afb2a2dec386b2a5573ae139c980c206815adbf Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni at gmail.com>
Date: Tue, 21 Jul 2015 14:12:54 +0300
Subject: [PATCH 2/3] loadparam: add "winbind additional group sids" parameter

Adds a global parameter to be used by winbindd.

Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
---
 .../winbind/winbindadditionalgroupsids.xml         | 29 ++++++++++++++++++++++
 lib/param/param_table.c                            |  8 ++++++
 source3/param/loadparm.c                           |  2 ++
 3 files changed, 39 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/winbindadditionalgroupsids.xml

diff --git a/docs-xml/smbdotconf/winbind/winbindadditionalgroupsids.xml b/docs-xml/smbdotconf/winbind/winbindadditionalgroupsids.xml
new file mode 100644
index 0000000..051b090
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindadditionalgroupsids.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind additional group sids"
+                 context="G"
+				 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This is a list of additional Windows Security Identifiers
+    (SIDs) that represents group aliases that every user is a member
+    of. It is used by <citerefentry><refentrytitle>winbindd
+    </refentrytitle><manvolnum>8</manvolnum></citerefentry> while
+    calculating the list of UNIX groups a user is a member of
+    (e.g. on behalf of the winbind NSS plugin).</para>
+    
+    <para>Adding those SIDs is analogous to the way
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> builds a process token for
+    an authenticated domain user - it obtains a list of SIDs
+    from the domain controller, adds some well known SIDs (e.g.
+    S-1-5-11 for NT Authority\Authenticated Users) and then
+    converts the whole list to UNIX group IDs.</para>
+
+    <para>To be useful, the SIDs listed by this parameter must also
+    have a group mapping, that would convert the SIDs to UNIX gids.
+    </para>
+
+</description>
+
+<value type="default"/>
+<value type="example">S-1-1-0</value>
+</samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 0fdd50d..ee9c9ec 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -3814,6 +3814,14 @@ struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 	},
 	{
+		.label		= "winbind additional group sids",
+		.type		= P_CMDLIST,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(winbind_additional_group_sids),
+		.special	= NULL,
+		.enum_list	= NULL,
+	},
+	{
 		.label		= "neutralize nt4 emulation",
 		.type		= P_BOOL,
 		.p_class	= P_GLOBAL,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7dd8786..d033ae8 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -810,6 +810,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
 	Globals.winbind_refresh_tickets = false;
 	Globals.winbind_offline_logon = false;
+	Globals.winbind_additional_group_sids =
+		str_list_make_v3_const(NULL, "", NULL);
 
 	Globals.idmap_cache_time = 86400 * 7; /* a week by default */
 	Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
-- 
1.9.1


From f77d0cf5ba0b702787746bd3faf7170b19a50d9a Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni at gmail.com>
Date: Tue, 21 Jul 2015 14:39:48 +0300
Subject: [PATCH 3/3] winbindd: support additional groups in GETGROUPS

Allow the winbindd WINBINDD_GETGROUPS API to return an
additional set of UNIX groups, in accordance with the new
"winbind additional group sids" parameter.

The idea is to add the SIDs to the list of SIDs obtained
from active directory, and then with a suitable group mapping
map those SIDs to UNIX ids.

Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
---
 source3/winbindd/wb_gettoken.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/source3/winbindd/wb_gettoken.c b/source3/winbindd/wb_gettoken.c
index 5271998..05ce663 100644
--- a/source3/winbindd/wb_gettoken.c
+++ b/source3/winbindd/wb_gettoken.c
@@ -176,6 +176,8 @@ static void wb_gettoken_gotbuiltins(struct tevent_req *subreq)
 	uint32_t num_rids;
         uint32_t *rids;
 	NTSTATUS status;
+	const char **additionals;
+	uint32_t num_additionals;
 
 	status = wb_lookupuseraliases_recv(subreq, state, &num_rids, &rids);
 	TALLOC_FREE(subreq);
@@ -187,6 +189,35 @@ static void wb_gettoken_gotbuiltins(struct tevent_req *subreq)
 		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
 		return;
 	}
+
+	/*
+	 * Now add additional SIDs from smb.conf
+	 */
+	num_additionals = 0;
+	for (additionals = lp_winbind_additional_group_sids();
+	     additionals != NULL && *additionals != NULL; ++additionals) {
+		++num_additionals;
+	}
+
+	if (num_additionals > 0) {
+		struct dom_sid *sids;
+
+		sids = talloc_realloc(state, state->sids, struct dom_sid,
+				      state->num_sids + num_additionals);
+		if (tevent_req_nomem(sids, req)) {
+			return;
+		}
+
+		for (additionals = lp_winbind_additional_group_sids();
+		     *additionals != NULL; ++additionals) {
+			if (string_to_sid(&sids[state->num_sids],
+					  *additionals)) {
+				state->num_sids += 1;
+			}
+		}
+		state->sids = sids;
+	}
+
 	tevent_req_done(req);
 }
 
-- 
1.9.1

More information about the samba-technical mailing list