libwbclient: duplicate primary group in returned sids array (was github PR #102)
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Jan 8 20:17:35 UTC 2019
On Tue, Jan 08, 2019 at 12:36:59PM +0200, Isaac Boukris via samba-technical wrote:
> A while ego, I was testing wbcAuthenticateUserEx with NTLM against
> Windows and noticed that the primary group is being referenced twice
> in returned wbcAuthUserInfo.sids array.
>
> The way it happens as far as I recall, is because the DC returns the
> primary group in NETLOGON_VALIDATION_SAM_INFO, both as PrimaryGroupId
> and in GroupIds. Then libwbclient copies it to a single array where
> array[0] is the user SID, array[1] is the PrimaryGroupId and then it
> adds the primary group again as a part of the groups from GroupIds.
>
> This patch skips the second addition, as it seems odd to have
> duplicate SIDs in a flat array (even though the first two elements are
> fixed). If this looks right, I'll try to add a test and resubmit on
> gitlab.
Of course this looks functionally right. One small nit-pick: We always
do { } even if there's only one statement in the "if"-clause.
The other question is: Is this too specific? Should we filter all
duplicate SIDs in case they happen? And -- is this the right place? My
gut feeling would be to keep the winbind clients as simple as possible
and put complexity into winbind itself. Should we filter the primary
group RID inside winbind? Really a genuine question, I don't have a
firm opinion yet.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kontakt at sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
AG Göttingen: HR-B 2816 - http://www.sernet.de
More information about the samba-technical
mailing list