The Samba-Bugzilla – Attachment 11609 Details for
Bug 11608
Cannot force local user if gid maps to a wellknown/builtin SID
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.3.next
wkn43.patch (text/plain), 7.42 KB, created by
Uri Simchoni
on 2015-11-20 18:39:48 UTC
(
hide
)
Description:
git-am fix for 4.3.next
Filename:
MIME Type:
Creator:
Uri Simchoni
Created:
2015-11-20 18:39:48 UTC
Size:
7.42 KB
patch
obsolete
>From c9fa5ea7d031d4d43258a72d49932b37ec0fe499 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Tue, 17 Nov 2015 21:43:44 +0200 >Subject: [PATCH 1/3] auth: remove a line that has no effect > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 42b7d48f76189b1e138f5cac6489a4d018598c87) >--- > source3/auth/server_info.c | 2 -- > 1 file changed, 2 deletions(-) > >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index b537390..4d046bb 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -600,8 +600,6 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, > */ > gid_to_sid(&group_sid, pwd->pw_gid); > >- ZERO_STRUCT(domain_sid); >- > /* > * If we are a unix group, set the group_sid to the > * 'Domain Users' RID of 513 which will always resolve to a >-- >2.4.3 > > >From 79d83546ac7765ec990f482fc91519e1aa650461 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Tue, 17 Nov 2015 23:05:10 +0200 >Subject: [PATCH 2/3] auth: consistent handling of well-known alias as primary > gid > >When a local user has its primary group id mapped to a well-known >alias or a builtin group, smbd accepts logins of such a user, but >fails tree-connects to shares with a "force user" set to this user >with an error of NT_STATUS_INVALID_SID. > >This fix causes the connect to succeed and the NT token to resemble >the token that would have been created in a login. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit d8717a038ef82caf05fff611c7cf92aecc436563) >--- > source3/auth/server_info.c | 23 +++++++++++++++++------ > 1 file changed, 17 insertions(+), 6 deletions(-) > >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index 4d046bb..9194cbd 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -599,16 +599,27 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, > * will be rejected by other Samba code. > */ > gid_to_sid(&group_sid, pwd->pw_gid); >+ } > >- /* >- * If we are a unix group, set the group_sid to the >- * 'Domain Users' RID of 513 which will always resolve to a >- * name. >- */ >- if (sid_check_is_in_unix_groups(&group_sid)) { >+ /* >+ * If we are a unix group, or a wellknown/builtin alias, >+ * set the group_sid to the >+ * 'Domain Users' RID of 513 which will always resolve to a >+ * name. >+ */ >+ if (sid_check_is_in_unix_groups(&group_sid) || >+ sid_check_is_in_builtin(&group_sid) || >+ sid_check_is_in_wellknown_domain(&group_sid)) { >+ if (sid_check_is_in_unix_users(&user_sid)) { > sid_compose(&group_sid, > get_global_sam_sid(), > DOMAIN_RID_USERS); >+ } else { >+ sid_copy(&domain_sid, &user_sid); >+ sid_split_rid(&domain_sid, NULL); >+ sid_compose(&group_sid, >+ &domain_sid, >+ DOMAIN_RID_USERS); > } > } > >-- >2.4.3 > > >From b4046bfc7d5382a19d0fb1309208480aa51c67b5 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Tue, 17 Nov 2015 23:14:36 +0200 >Subject: [PATCH 3/3] selftest: add test for force user and well-known primary > group > >Add a test for connecting to a share with a "force user" whos >primary unix gid maps to a well-known alias. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Thu Nov 19 23:20:36 CET 2015 on sn-devel-104 >(cherry picked from commit d451bbaee2e025d4135f686c0f220d6337dbf38e) >--- > selftest/target/Samba3.pm | 18 +++++++++++++++++- > source3/script/tests/test_smbclient_auth.sh | 1 + > 2 files changed, 18 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 774d7a0..931667e 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1202,7 +1202,9 @@ sub provision($$$$$$$$) > > my ($max_uid, $max_gid); > my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2); >+ my ($uid_pdbtest_wkn); > my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins); >+ my ($gid_everyone); > > if ($unix_uid < 0xffff - 4) { > $max_uid = 0xffff; >@@ -1214,8 +1216,9 @@ sub provision($$$$$$$$) > $uid_nobody = $max_uid - 2; > $uid_pdbtest = $max_uid - 3; > $uid_pdbtest2 = $max_uid - 4; >+ $uid_pdbtest_wkn = $max_uid - 6; > >- if ($unix_gids[0] < 0xffff - 5) { >+ if ($unix_gids[0] < 0xffff - 7) { > $max_gid = 0xffff; > } else { > $max_gid = $unix_gids[0]; >@@ -1226,6 +1229,7 @@ sub provision($$$$$$$$) > $gid_root = $max_gid - 3; > $gid_domusers = $max_gid - 4; > $gid_domadmins = $max_gid - 5; >+ $gid_everyone = $max_gid - 7; > > ## > ## create conffile >@@ -1368,9 +1372,15 @@ sub provision($$$$$$$$) > force user = $unix_name > guest ok = yes > [forceuser_unixonly] >+ comment = force a user with unix user SID and group SID > path = $shrdir > force user = pdbtest > guest ok = yes >+[forceuser_wkngroup] >+ comment = force a user with well-known group SID >+ path = $shrdir >+ force user = pdbtest_wkn >+ guest ok = yes > [forcegroup] > path = $shrdir > force group = nogroup >@@ -1497,6 +1507,7 @@ sub provision($$$$$$$$) > $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false > pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false > pdbtest2:x:$uid_pdbtest2:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false >+pdbtest_wkn:x:$uid_pdbtest_wkn:$gid_everyone:pdbtest_wkn gecos:$prefix_abs:/bin/false > "; > if ($unix_uid != 0) { > print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false >@@ -1513,6 +1524,7 @@ nogroup:x:$gid_nogroup:nobody > $unix_name-group:x:$unix_gids[0]: > domusers:X:$gid_domusers: > domadmins:X:$gid_domadmins: >+everyone:x:$gid_everyone: > "; > if ($unix_gids[0] != 0) { > print GROUP "root:x:$gid_root: >@@ -1705,6 +1717,10 @@ sub wait_for_start($$$$$) > if ($ret != 0) { > return 1; > } >+ $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin"); >+ if ($ret != 0) { >+ return 1; >+ } > > if ($winbindd eq "yes") { > # note: creating builtin groups requires winbindd for the >diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh >index 24e98b1..057414c 100755 >--- a/source3/script/tests/test_smbclient_auth.sh >+++ b/source3/script/tests/test_smbclient_auth.sh >@@ -28,5 +28,6 @@ testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT //$SERVER/tmpguest $CON > testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS > testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS > testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS >+testit "smbclient //$SERVER/forceuser_wkngroup" $SMBCLIENT //$SERVER/forceuser_wkngroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS > testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS > testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS >-- >2.4.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 11608
: 11609