[Samba] 3.0.23d UNIX vs. AD group permissions

David Pullman dpullman at nist.gov
Thu Jan 11 17:15:50 GMT 2007 

We have what may be a very, very bad situation here and I'm hoping 
someone may be able to point out either where I'm misinterpreting this 
or where I missed the memo.

We're testing 3.0.23d so we can upgrade from 3.0.14a.  Our servers are 
all currently Solaris 9, and we build samba from source with MIT krb5 
and openldap libraries.  We have used security = ads since 3.0 after 
having used security = domain with nt4.0 for many years in the 2.2 era.

We also have winbindd running, but only with idmap to an ldap directory 
to map uids to sids.  All usernames are in NIS and the identical 
usernames are in AD, as they were in NT before.  We share all 
directories to both NFS and CIFS clients, with posix acls on the file 
server.  This has worked for years.  We only pursued the winbindd 
feature for idmapping to provide the users with the ability to add a 
name to an acl in Windows.  Currently on 3.0.14a this works fine.

We do not have unix groups, as populated in NIS group, in the AD.  We do 
not use winbind for any authentication.

When we started testing 3.0.23d we found that the primary group of a 
user seemed to be honored for access to a file or directory, but the 
secondary groups were not.  On our test server I cranked up idmap and 
auth logging.  Then we added some group names to AD; this was after I 
asked Gerry at the LISA conference about the issue I was seeing.

In the log snip below the server is getting a bunch of sids for my 
login.  Everyone of these is only the groups that are enumerated on AD, 
specifically with my name in the group.  Also, in trying to access 
folders on a share, only the groups listed will allow permission; if I 
have a group on a directory that I'm a member of in UNIX but not in AD I 
can't access the folder.  ****This is different than it used to be****

[2007/01/11 11:08:40, 10] auth/auth_util.c:(454)
   NT user token of user S-1-5-21-1214440339-839522115-1708537768-1623
   contains 9 SIDs
   SID[  0]: S-1-5-21-1214440339-839522115-1708537768-1623
   SID[  1]: S-1-5-21-1214440339-839522115-1708537768-6843
   SID[  2]: S-1-1-0
   SID[  3]: S-1-5-2
   SID[  4]: S-1-5-11
   SID[  5]: S-1-5-21-1214440339-839522115-1708537768-2254
   SID[  6]: S-1-5-21-1214440339-839522115-1708537768-513
   SID[  7]: S-1-5-21-1214440339-839522115-1708537768-2270
   SID[  8]: S-1-5-32-545
   SE_PRIV  0x0 0x0 0x0 0x0

[root at chrome boogie]$ wbinfo -s 
S-1-5-21-1214440339-839522115-1708537768-6280
MELAD\tac 2
[root at chrome boogie]$ wbinfo -s 
S-1-5-21-1214440339-839522115-1708537768-2270
MELAD\melsa 2
[root at chrome boogie]$ wbinfo -s 
S-1-5-21-1214440339-839522115-1708537768-2254
MELAD\MELSAApps 2
[root at chrome boogie]$ wbinfo -s 
S-1-5-21-1214440339-839522115-1708537768-6843
MELAD\wwwmel 2

Taking this a step farther:  we added a UNIX group to AD and put my name 
in it.  I am not a member of this group in UNIX.  In the snip below that 
sid is now included in my user token.

[2007/01/11 11:34:53, 10] auth/auth_util.c:(454)
   NT user token of user S-1-5-21-1214440339-839522115-1708537768-1623
   contains 11 SIDs
   SID[  0]: S-1-5-21-1214440339-839522115-1708537768-1623
   SID[  1]: S-1-5-21-1214440339-839522115-1708537768-6843
   SID[  2]: S-1-1-0
   SID[  3]: S-1-5-2
   SID[  4]: S-1-5-11
   SID[  5]: S-1-5-21-1214440339-839522115-1708537768-2254
   SID[  6]: S-1-5-21-1214440339-839522115-1708537768-513
   SID[  7]: S-1-5-21-1214440339-839522115-1708537768-6279
   SID[  8]: S-1-5-21-1214440339-839522115-1708537768-2270
   SID[  9]: S-1-5-21-1214440339-839522115-1708537768-6280
   SID[ 10]: S-1-5-32-545
   SE_PRIV  0x0 0x0 0x0 0x0

With this token I was able to create files and directories in a 
directory that had this new group.  I'm not the owner of the directory, 
or a member of the group, and other has only r-x. ****Even though I am 
not permitted to do this in UNIX****

[root at chrome testing]$ ls -al .
total 8
drwxrwsr-x   4 carolyn  adacs        512 Jan 11 11:35 .
drwxr-xr-x   8 root     sys          512 Jan  5 13:37 ..
drwxr-sr-x   2 dpullman adacs        512 Jan 11 11:35 New Folder
[root at chrome testing]$ groups dpullman
melsaunx wwwmel melsa gss gssreq office root sensor lp melsapw sa 
webgroup admin tac

Isn't there a statement somewhere that samba will honor the UNIX 
permissions?  How am I able to write in a directory that I do not have 
access to according to the UNIX permissions?

Is it the intention of the samba development that all UNIX groups will 
have to not only be listed in AD, but also populated?

Thanks very much.

-- 
David Pullman
Systems Administrator
Manufacturing Engineering Laboratory
National Institute of Standards & Technology
Mail Stop 8203
100 Bureau Drive
Gaithersburg, MD 20899-8260
Tel: (301) 975-5385
Fax: (301) 926-3842
E-mail: david.pullman at nist.gov

More information about the samba mailing list