[PATCH] Support force user when the user's group sid is a wellknown/builtin
Uri Simchoni
uri at samba.org
Wed Nov 18 08:20:02 UTC 2015
Hi,
This patch provides a more consistent handling of users with a primary
group that maps to a wellknown SID.
When considering a local user (more precisely, one whose SamInfo3 is
constructed locally rather than received from a domain controller), it
is conceivable that the user's UNIX primary gid is mapped to a
well-known or builtin SID.
If such a user logs on, the logon succeeds, and the SamInfo3 that's
created during the logon has an RID of 513 (domain users). OTOH, if a
different user logs on and connects to a share with a "force user"
pointing to that user, the tree-connect fails with a NT_STATUS_INVALID_SID.
For consistency, this needs fixing and the fix here is for the
tree-connect to succeed.
This can be viewed as an extension of
https://bugzilla.samba.org/show_bug.cgi?id=11044 from supporting
unix-user SIDs to supporting to well-known SIDs as well.
Review/push appreciated.
Thanks,
Uri.
-------------- next part --------------
From 8b373862cce625d00477dba0ddce9e93e7974743 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Tue, 17 Nov 2015 21:43:44 +0200
Subject: [PATCH 1/3] auth: remove a line that has no effect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/auth/server_info.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index b537390..4d046bb 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -600,8 +600,6 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
*/
gid_to_sid(&group_sid, pwd->pw_gid);
- ZERO_STRUCT(domain_sid);
-
/*
* If we are a unix group, set the group_sid to the
* 'Domain Users' RID of 513 which will always resolve to a
--
2.4.3
From a145c96ccdd8af8cb1f7b3e68311338d391696d1 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Tue, 17 Nov 2015 23:05:10 +0200
Subject: [PATCH 2/3] auth: consistent handling of well-known alias as primary
gid
When a local user has its primary group id mapped to a well-known
alias or a builtin group, smbd accepts logins of such a user, but
fails tree-connects to shares with a "force user" set to this user
with an error of NT_STATUS_INVALID_SID.
This fix causes the connect to succeed and the NT token to resemble
the token that would have been created in a login.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/auth/server_info.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 4d046bb..9194cbd 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -599,16 +599,27 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
* will be rejected by other Samba code.
*/
gid_to_sid(&group_sid, pwd->pw_gid);
+ }
- /*
- * If we are a unix group, set the group_sid to the
- * 'Domain Users' RID of 513 which will always resolve to a
- * name.
- */
- if (sid_check_is_in_unix_groups(&group_sid)) {
+ /*
+ * If we are a unix group, or a wellknown/builtin alias,
+ * set the group_sid to the
+ * 'Domain Users' RID of 513 which will always resolve to a
+ * name.
+ */
+ if (sid_check_is_in_unix_groups(&group_sid) ||
+ sid_check_is_in_builtin(&group_sid) ||
+ sid_check_is_in_wellknown_domain(&group_sid)) {
+ if (sid_check_is_in_unix_users(&user_sid)) {
sid_compose(&group_sid,
get_global_sam_sid(),
DOMAIN_RID_USERS);
+ } else {
+ sid_copy(&domain_sid, &user_sid);
+ sid_split_rid(&domain_sid, NULL);
+ sid_compose(&group_sid,
+ &domain_sid,
+ DOMAIN_RID_USERS);
}
}
--
2.4.3
From e958dfae057d412a5c055594bd63448a836d3c0f Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Tue, 17 Nov 2015 23:14:36 +0200
Subject: [PATCH 3/3] selftest: add test for force user and well-known primary
group
Add a test for connecting to a share with a "force user" whos
primary unix gid maps to a well-known alias.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608
Signed-off-by: Uri Simchoni <uri at samba.org>
---
selftest/target/Samba3.pm | 19 +++++++++++++++++--
source3/script/tests/test_smbclient_auth.sh | 1 +
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1c54dae..94612b2 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1228,8 +1228,9 @@ sub provision($$$$$$$$)
my ($max_uid, $max_gid);
my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2, $uid_userdup);
+ my ($uid_pdbtest_wkn);
my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
- my ($gid_userdup);
+ my ($gid_userdup, $gid_everyone);
if ($unix_uid < 0xffff - 5) {
$max_uid = 0xffff;
@@ -1242,8 +1243,9 @@ sub provision($$$$$$$$)
$uid_pdbtest = $max_uid - 3;
$uid_pdbtest2 = $max_uid - 4;
$uid_userdup = $max_uid - 5;
+ $uid_pdbtest_wkn = $max_uid - 6;
- if ($unix_gids[0] < 0xffff - 6) {
+ if ($unix_gids[0] < 0xffff - 7) {
$max_gid = 0xffff;
} else {
$max_gid = $unix_gids[0];
@@ -1255,6 +1257,7 @@ sub provision($$$$$$$$)
$gid_domusers = $max_gid - 4;
$gid_domadmins = $max_gid - 5;
$gid_userdup = $max_gid - 6;
+ $gid_everyone = $max_gid - 7;
##
## create conffile
@@ -1398,9 +1401,15 @@ sub provision($$$$$$$$)
force user = $unix_name
guest ok = yes
[forceuser_unixonly]
+ comment = force a user with unix user SID and group SID
path = $shrdir
force user = pdbtest
guest ok = yes
+[forceuser_wkngroup]
+ comment = force a user with well-known group SID
+ path = $shrdir
+ force user = pdbtest_wkn
+ guest ok = yes
[forcegroup]
path = $shrdir
force group = nogroup
@@ -1528,6 +1537,7 @@ $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
pdbtest2:x:$uid_pdbtest2:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
userdup:x:$uid_userdup:$gid_userdup:userdup gecos:$prefix_abs:/bin/false
+pdbtest_wkn:x:$uid_pdbtest_wkn:$gid_everyone:pdbtest_wkn gecos:$prefix_abs:/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -1545,6 +1555,7 @@ $unix_name-group:x:$unix_gids[0]:
domusers:X:$gid_domusers:
domadmins:X:$gid_domadmins:
userdup:x:$gid_userdup:$unix_name
+everyone:x:$gid_everyone:
";
if ($unix_gids[0] != 0) {
print GROUP "root:x:$gid_root:
@@ -1737,6 +1748,10 @@ sub wait_for_start($$$$$)
if ($ret != 0) {
return 1;
}
+ $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin");
+ if ($ret != 0) {
+ return 1;
+ }
if ($winbindd eq "yes") {
# note: creating builtin groups requires winbindd for the
diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh
index 24e98b1..057414c 100755
--- a/source3/script/tests/test_smbclient_auth.sh
+++ b/source3/script/tests/test_smbclient_auth.sh
@@ -28,5 +28,6 @@ testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT //$SERVER/tmpguest $CON
testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forceuser_wkngroup" $SMBCLIENT //$SERVER/forceuser_wkngroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
--
2.4.3
More information about the samba-technical
mailing list