Bug 12970 - sec_initial_uid() called before sec_init() in net command
sec_initial_uid() called before sec_init() in net command
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.6.2
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-16 06:07 UTC by Stefan Walter
Modified: 2017-08-16 08:17 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Walter 2017-08-16 06:07:09 UTC
I have noticed that with the net command it is not possible anymore to run 'net ads join' as non-root. With 4.4.x this still worked. What we do is to run it like this as user apache on a webserver (/tmp/samba contains a copy of /var/lib/samba, ownership changed to apache:apache):

KRB5_KTNAME=FILE:/tmp/samba/keytab net '--option=cache directory=/tmp/samba' '--option=lock directory=/tmp/samba/lock' '--option=state directory=/tmp/samba' '--option=private dir=/tmp/samba/private' '--option=smb passwd file=/tmp/samba/private/smbpasswd' '--option=debug level=99' ads join

It fails with this error message:

...
directory_create_or_exist_strict: invalid ownership on directory /tmp/samba/lock/msg.lock
messaging_init_internal: Could not create lock directory: No such file or directory
main: Unable to initialize messaging context. Must be root to do that.
...

Again, /tmp/samba/lock/msg.lock is owned by apache and has mode 0755.

The root cause seems to be that in source3/utils/net.c the call to sec_init() comes after the call to messaging_init_client(). The later calls sec_initial_uid() which at that time returns a non-initialized
initial_uid that just happens to be 0. 

This means that directory_create_or_exist_strict() wrongfully checks if /tmp/samba/lock/msg.lock belongs to 0 (root) instead of the user running the net command.