[Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups
Brian H. Nelson
bhnelson at ysu.edu
Wed Sep 11 12:20:11 MDT 2013
I'm trying to solve this issue I'm having where using 'valid users =
+unixgroup' just plain doesn't work. I can't find any /documented/
reason why this is so, but nevertheless, it seems to be the case. This
is with samba 3.6.18, but seems to exist in all of 3.6.x and most or all
of 3.5.x and perhaps earlier as well (see bug #6681).
From what I can tell, the underlying reason it doesn't work is because
create_local_nt_token_from_info3 doesn't seem to populate the user's
token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm not
sure exactly why this is the case; the code is a bit complicated.
Ironically, if the user is explicitly mapped (username map in smb.conf)
then it *does* work. This seems to be because an explicitly-mapped user
will follow a different code path and end up using
create_token_from_username which /does/ pull local UNIX groups.
I don't understand why there is a difference in behavior between
explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name
maps to local user 'name' via idmap_nss, or some other facility). I
would think that either case should ultimately end with the same result.
This seems like a very major and long-standing problem to just be a bug.
As such I feel like I'm missing something. Can a dev or somebody with a
better understanding of the code fill me in?
Here are some reference links that sound related:
https://bugzilla.samba.org/show_bug.cgi?id=6681
http://marc.info/?l=samba&m=135879161014066&w=2
http://marc.info/?l=samba&m=120886782118153&w=2
Thanks,
Brian
--
----------------------------------------
Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University
bhnelson[at]ysu[dot]edu
----------------------------------------
More information about the samba
mailing list