Security issue : net_groupmap doesn't update users' sambaPrimaryGroupSID
when adding/modifying/deleting a mapping that involves the users' Unix
primary group. Users keep getting rights provided by the "old"
sambaPrimaryGroupSID. We should scan the users to update their
sambaPrimaryGroupSIDs (this will unfortunately decrease performances).
Created attachment 374 [details]
Activates users' primary group SID update when adding/modifying/deleting a group mapping.
!!!WARNING!!! : THIS PATCH DOESNT WORK WITH TDB BACKEND, but it works perfectly
with ldap backend. Since I'm not a Samba guru, I couldn't make this patch work
with TDB backend. I think it is very simple to fix : the problem is pdb_ldap
pdb_tdb doesn't update sam account the same way : pdb_tdb.c invalidates the
iterator during a sam update (while pdb_ldap doesn't), so the main loop crashes
after the first pdb_update_sam_account while trying to use pdb_getsampwent. The
patch may be easy to fix and can be a good start for an final bugfix.
moving to 3.0
Closing. In 3.0.22, the primaryGroupSID attribute will be
ignored and generated at run time directly from the
Unix primary gid.