wb_group_members: non-resistance against garbage
Linda A. Walsh
law at tlinx.org
Wed Aug 24 14:08:08 MDT 2011
I'd have to test to be sure, but I suspect it would ameliorate some
of the problems I was having when I had trusted-domains-only=true, as
a group lookup failure would cause a return that the 'user didn't exist'...
This, despite the fact, that my file-access abilities as that user
was still working for the groups I was in...so some part -- Win7's
cached credentials for my domain, still worked (since it couldn't
contact the domain controller, due to the upper/lower case mismatch) and
thus had my group SID's set. Samba used those for conversion to gid's
and access, but when it tried to look up my name... and
enumerate groups -- it got the foreign lookup failing,
so returned no such user...which messed things up in windows more
than would have been necessary -- i.e. the below patch, _if_ I
understand what he's doing, would have lessened the severity of
the problem I was having at that time.
Seems like a more robust samba would be a good thing...
(from someone who finds it way to easy to screw herself up in so many
interesting and unique ways, but and much more difficult to get everything
"just right")
Linda
Dmitry Butskoy wrote:
> The patch:
>
> diff -Nrup samba-3.5.9/source3/winbindd/wb_group_members.c
> samba-3.5.9-OK/source3/winbindd/wb_group_members.c
>
> --- samba-3.5.9/source3/winbindd/wb_group_members.c 2011-06-14
> 15:17:28.000000000 +0400
>
> +++ samba-3.5.9-OK/source3/winbindd/wb_group_members.c 2011-08-12
> 19:39:15.000000000 +0400
>
> @@ -364,8 +364,13 @@ static void wb_group_members_done(struct
>
> status = wb_groups_members_recv(subreq,
> state,&num_members,&members);
>
> TALLOC_FREE(subreq);
>
> if (!NT_STATUS_IS_OK(status)) {
>
> + if (NT_STATUS_EQUAL(status,
> NT_STATUS_TRUSTED_DOMAIN_FAILURE)) {
>
> + DEBUG(2, ("Trusted domain failure when obtain
> group members\n"));
>
> + num_members = 0;
>
> + } else {
>
> tevent_req_nterror(req, status);
>
> return;
>
> + }
>
> }
>
> new_users = new_groups = 0;
>
More information about the samba-technical
mailing list