[Samba] Questions about 3.0.12rc1

Gerald (Jerry) Carter jerry at samba.org
Mon Mar 14 14:38:01 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sergey Loskutov wrote:
| Hello!
|
| Before this post, i'm send 3 problems in 3.0.11
| I'm compiled 3.0.12rc1 and found next:
|
| 1) Settings primary group .... problem solved, but question to developer
|    You append to mapping.c  in smb_set_primary_group
|    ret = smbrun(add_script,NULL);
|    flush_pwnam_cache();
|    ^^^^^^^^^^^^^^^^^^^^
|  But not check ret code .....if my script exit in code != 0, i'm change
| primary group ... ( script "set primary group" still needed ? )

It's just flushing the internal pwnam cache.  Semantically this is ok.
Probably not optimal.  I'll look at it later.

| 2) Next in this code is winbind, but debug message string have code
| DEBUG(3,("smb_delete_group:
|
| You use copy/paste  ;)
|
| This is affect in function:   smb_add_user_group,smb_delete_user_group
|
| smb_add_user_group  have bug
|
|   if ( winbind_add_user_to_group( unix_user, unix_group ) ) {
|      DEBUG(3,("smb_delete_group: winbindd added user (%s) to the group
| (%s)\n",
|       unix_user, unix_group));
|       return -1;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^
| needed  return 0;
|
|   }

The 'winbind local accounts' code is deprecated at this point.  So this
code will eventually be removed anyways.  However, I'll clean up the
debug messages and check return codes before the final 3.0.12.

| 3)  I'm analized  problems 1
| ( user who not have privileges "add machine account" )
|
| In function _samr_create_user ( srv_samr_nt.c ) you have code:
|
| if ( can_add_account )
|   become_root();
|
| And if user not have privileges(user|machine)  you MAY CREATE USER (
| posix account or machine account ) through SCRIPT  :(((((
|
| I'm change code to:
|
| if ( can_add_account == False ) {
|   return NT_STATUS_ACCESS_DENIED;
| }
| it's fixed problem ....
| I'm do simple test and is work correct, ... but i'm do
| not full test.

I've thought about this before.  The problem is actually that
your 'add user script' can be run successfully as a non-root user.
A simple 'chmod 700 <script>; chown root <script>' will solve this.
I'll look at it some more but this is not a pressing issue I don't
think.  smbd is not doing anything that the normal user couldn't do
anyways.  And your fix doesn't cover all the possible scenarios
(e.g. root user with no assigned privileges should still be able to join
clients to the domain).

Thanks for the feedback.




cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCNaHJIR7qMdg1EfYRAgFkAJ9RYuBYrAJkidjOAg7M3ffe/bNo1ACgkV2e
AoI7f/tiRTxysi6x8wSQmPY=
=Rgb4
-----END PGP SIGNATURE-----

More information about the samba mailing list