Re: [Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups
On Thu, Oct 03, 2013 at 10:37:07AM -0400, Brian H. Nelson wrote: Can anyone with knowledge about this issue offer any comment? Somebody has to have an idea about it, good or bad. The general idea is that we 100% rely on what the Domain Controller tells us. username map is an explicit override by which you tell Samba that you do not want to listen to the domain. If you happen to run with winbind, you might want to create local groups and add members to those. (net sam createlocalgroup, addmem and so on). With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de * visit us on it-sa:IT security exhibitions in Nürnberg, Germany October 8th - 10th 2013, hall 12, booth 333 free tickets available via code 270691 on: www.it-sa.de/gutschein ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups
Can anyone with knowledge about this issue offer any comment? Somebody has to have an idea about it, good or bad. Thanks, Brian On 9/11/2013 2:20 PM, Brian H. Nelson wrote: I'm trying to solve this issue I'm having where using 'valid users = +unixgroup' just plain doesn't work. I can't find any /documented/ reason why this is so, but nevertheless, it seems to be the case. This is with samba 3.6.18, but seems to exist in all of 3.6.x and most or all of 3.5.x and perhaps earlier as well (see bug #6681). From what I can tell, the underlying reason it doesn't work is because create_local_nt_token_from_info3 doesn't seem to populate the user's token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm not sure exactly why this is the case; the code is a bit complicated. Ironically, if the user is explicitly mapped (username map in smb.conf) then it *does* work. This seems to be because an explicitly-mapped user will follow a different code path and end up using create_token_from_username which /does/ pull local UNIX groups. I don't understand why there is a difference in behavior between explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name maps to local user 'name' via idmap_nss, or some other facility). I would think that either case should ultimately end with the same result. This seems like a very major and long-standing problem to just be a bug. As such I feel like I'm missing something. Can a dev or somebody with a better understanding of the code fill me in? Here are some reference links that sound related: https://bugzilla.samba.org/show_bug.cgi?id=6681 http://marc.info/?l=sambam=135879161014066w=2 http://marc.info/?l=sambam=120886782118153w=2 Thanks, Brian -- Brian H. Nelson Data Security Analyst I IT Infrastructure Engineering Youngstown State University bhnelson[at]ysu[dot]edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups
According to the smb.conf man page, using @group is equavelnt to +group where '' means check it as an NIS netgroup and '+' means check it as a local UNIX group. Just +group should be what I want (I'm not using NIS) but I admit I haven't tested much with @group. Another interesting facet is that the RHEL-provided samba builds *do not* exhibit the problem I'm seeing. They bundle in a number of patches. Apparently one (or more) of them is changing this specific behavior. Brian On 9/11/2013 3:18 PM, Brian Cuttler wrote: I thought it was @group rather than +group in the samba.conf share definition... -- Brian H. Nelson Data Security Analyst I IT Infrastructure Engineering Youngstown State University bhnelson[at]ysu[dot]edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups
I'm trying to solve this issue I'm having where using 'valid users = +unixgroup' just plain doesn't work. I can't find any /documented/ reason why this is so, but nevertheless, it seems to be the case. This is with samba 3.6.18, but seems to exist in all of 3.6.x and most or all of 3.5.x and perhaps earlier as well (see bug #6681). From what I can tell, the underlying reason it doesn't work is because create_local_nt_token_from_info3 doesn't seem to populate the user's token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm not sure exactly why this is the case; the code is a bit complicated. Ironically, if the user is explicitly mapped (username map in smb.conf) then it *does* work. This seems to be because an explicitly-mapped user will follow a different code path and end up using create_token_from_username which /does/ pull local UNIX groups. I don't understand why there is a difference in behavior between explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name maps to local user 'name' via idmap_nss, or some other facility). I would think that either case should ultimately end with the same result. This seems like a very major and long-standing problem to just be a bug. As such I feel like I'm missing something. Can a dev or somebody with a better understanding of the code fill me in? Here are some reference links that sound related: https://bugzilla.samba.org/show_bug.cgi?id=6681 http://marc.info/?l=sambam=135879161014066w=2 http://marc.info/?l=sambam=120886782118153w=2 Thanks, Brian -- Brian H. Nelson Data Security Analyst I IT Infrastructure Engineering Youngstown State University bhnelson[at]ysu[dot]edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
