Bug 1016 - Net groupmap add / delete / modify doesn't update users' Primary group SID
Summary: Net groupmap add / delete / modify doesn't update users' Primary group SID
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0
Hardware: All Linux
: P3 critical
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact:
URL: http://lists.samba.org/archive/samba-...
Keywords:
Depends on:
Blocks: 828
  Show dependency treegraph
 
Reported: 2004-01-30 01:20 UTC by Ganael LAPLANCHE
Modified: 2006-02-27 13:57 UTC (History)
0 users

See Also:


Attachments
Activates users' primary group SID update when adding/modifying/deleting a group mapping. (4.38 KB, patch)
2004-01-30 01:25 UTC, Ganael LAPLANCHE
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ganael LAPLANCHE 2004-01-30 01:20:22 UTC
Security issue : net_groupmap doesn't update users' sambaPrimaryGroupSID
when adding/modifying/deleting a mapping that involves the users' Unix
primary group. Users keep getting rights provided by the "old"
sambaPrimaryGroupSID. We should scan the users to update their
sambaPrimaryGroupSIDs (this will unfortunately decrease performances).
Comment 1 Ganael LAPLANCHE 2004-01-30 01:25:22 UTC
Created attachment 374 [details]
Activates users' primary group SID update when adding/modifying/deleting a group mapping.

!!!WARNING!!! : THIS PATCH DOESNT WORK WITH TDB BACKEND, but it works perfectly

with ldap backend. Since I'm not a Samba guru, I couldn't make this patch work
with TDB backend. I think it is very simple to fix : the problem is pdb_ldap
and
pdb_tdb doesn't update sam account the same way : pdb_tdb.c invalidates the
iterator during a sam update (while pdb_ldap doesn't), so the main loop crashes

after the first pdb_update_sam_account while trying to use pdb_getsampwent. The

patch may be easy to fix and can be a good start for an final bugfix.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2004-03-18 07:06:00 UTC
moving to 3.0
Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-03-18 07:06:44 UTC
resetting component
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:28:07 UTC
database cleanup
Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-02-27 13:57:24 UTC
Closing.  In 3.0.22, the primaryGroupSID attribute will be 
ignored and generated at run time directly from the 
Unix primary gid.