Re: [Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups

Thu, 03 Oct 2013 07:38:11 -0700

Can anyone with knowledge about this issue offer any comment? Somebody has to have an idea about it, good or bad. 

Thanks,
Brian


On 9/11/2013 2:20 PM, Brian H. Nelson wrote:
I'm trying to solve this issue I'm having where using 'valid users = +unixgroup' just plain doesn't work. I can't find any /documented/ reason why this is so, but nevertheless, it seems to be the case. This is with samba 3.6.18, but seems to exist in all of 3.6.x and most or all of 3.5.x and perhaps earlier as well (see bug #6681).
From what I can tell, the underlying reason it doesn't work is because create_local_nt_token_from_info3 doesn't seem to populate the user's token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm not sure exactly why this is the case; the code is a bit complicated.
Ironically, if the user is explicitly mapped (username map in smb.conf) then it *does* work. This seems to be because an explicitly-mapped user will follow a different code path and end up using create_token_from_username which /does/ pull local UNIX groups.
I don't understand why there is a difference in behavior between explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name maps to local user 'name' via idmap_nss, or some other facility). I would think that either case should ultimately end with the same result.
This seems like a very major and long-standing problem to just be a bug. As such I feel like I'm missing something. Can a dev or somebody with a better understanding of the code fill me in? 

Here are some reference links that sound related:
https://bugzilla.samba.org/show_bug.cgi?id=6681
http://marc.info/?l=samba&m=135879161014066&w=2
http://marc.info/?l=samba&m=120886782118153&w=2

Thanks,
Brian



--
----------------------------------------
Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University
bhnelson[at]ysu[dot]edu
----------------------------------------


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to