Bug 1016 - Net groupmap add / delete / modify doesn't update users' Primary group SID
Net groupmap add / delete / modify doesn't update users' Primary group SID
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.0
All Linux
: P3 critical
: none
Assigned To: Samba Bugzilla Account
http://lists.samba.org/archive/samba-...
:
Depends on:
Blocks: 828
  Show dependency treegraph
 
Reported: 2004-01-30 01:20 UTC by Ganael LAPLANCHE
Modified: 2006-02-27 13:57 UTC (History)
0 users

See Also:


Attachments
Activates users' primary group SID update when adding/modifying/deleting a group mapping. (4.38 KB, patch)
2004-01-30 01:25 UTC, Ganael LAPLANCHE
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ganael LAPLANCHE 2004-01-30 01:20:22 UTC
Security issue : net_groupmap doesn't update users' sambaPrimaryGroupSID
when adding/modifying/deleting a mapping that involves the users' Unix
primary group. Users keep getting rights provided by the "old"
sambaPrimaryGroupSID. We should scan the users to update their
sambaPrimaryGroupSIDs (this will unfortunately decrease performances).
Comment 1 Ganael LAPLANCHE 2004-01-30 01:25:22 UTC
Created attachment 374 [details]
Activates users' primary group SID update when adding/modifying/deleting a group mapping.

!!!WARNING!!! : THIS PATCH DOESNT WORK WITH TDB BACKEND, but it works perfectly

with ldap backend. Since I'm not a Samba guru, I couldn't make this patch work
with TDB backend. I think it is very simple to fix : the problem is pdb_ldap
and
pdb_tdb doesn't update sam account the same way : pdb_tdb.c invalidates the
iterator during a sam update (while pdb_ldap doesn't), so the main loop crashes

after the first pdb_update_sam_account while trying to use pdb_getsampwent. The

patch may be easy to fix and can be a good start for an final bugfix.
Comment 2 Gerald (Jerry) Carter 2004-03-18 07:06:00 UTC
moving to 3.0
Comment 3 Gerald (Jerry) Carter 2004-03-18 07:06:44 UTC
resetting component
Comment 4 Gerald (Jerry) Carter 2005-11-14 09:28:07 UTC
database cleanup
Comment 5 Gerald (Jerry) Carter 2006-02-27 13:57:24 UTC
Closing.  In 3.0.22, the primaryGroupSID attribute will be 
ignored and generated at run time directly from the 
Unix primary gid.