Bug 1714 - Group membership check fail in some configurations
Group membership check fail in some configurations
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.6
x86 All
: P3 minor
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-03 03:32 UTC by Sergey Korolew
Modified: 2005-08-24 10:20 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Korolew 2004-09-03 03:32:42 UTC
Here the sample: user "test", group "Proxy Users"
# wbinfo -n test
S-1-5-21-3832759173-1639904910-2887728559-1113 User (1)
# wbinfo -n "Proxy Users"
S-1-5-21-3832759173-1639904910-2887728559-1118 Domain Group (2)

Looking if user "test" in group "Proxy Users" using wbinfo:
# wbinfo --user-sids=S-1-5-21-3832759173-1639904910-2887728559-1113
S-1-5-21-3832759173-1639904910-2887728559-513
S-1-5-32-545
S-1-5-21-3832759173-1639904910-2887728559-1118

Yes, user in the group and this is a last group in the list
Now check user/password using ntlm_auth:
# ntlm_auth --helper-protocol=squid-2.5-basic
test password
OK

All working. Now adding group membership check:
# ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-
of="DOMAIN+Proxy Users"
test password
ERR

Fail ! Here the log.winbindd:
[2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134)
  User has SID: S-1-5-21-3832759173-1639904910-2887728559-1113
[2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134)
  User has SID: S-1-5-21-3832759173-1639904910-2887728559-513
[2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134)
  User has SID: S-1-5-21-3832759173-1639904910-2887728559-135995120
[2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134)
  User has SID: S-1-5-21-3832759173-1639904910-2887728559-135995136
[2004/08/22 12:11:54, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(293)
  User test is not in the required group (S-1-5-21-3832759173-1639904910-2887728
559-1118), so plaintext authentication is rejected

And here the solution :-)
--- winbindd_pam.c.old  Thu Aug 19 17:39:12 2004
+++ winbindd_pam.c      Fri Sep  3 14:24:12 2004
@@ -107,11 +107,11 @@
        for (i = 0; i < info3->num_groups2; i++) {

                sid_copy(&all_sids[j], &(info3->dom_sid.sid));

-               if (!sid_append_rid(&all_sids[j], info3->gids[j].g_rid)) {
+               if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
                        DEBUG(3,("could not append additional group rid 0x%x\n",
-                               info3->gids[j].g_rid));
+                               info3->gids[i].g_rid));

                        return NT_STATUS_INVALID_PARAMETER;
                }
                j++;

We get array gids[] overrun in some conditions (that why weird values in log).
Comment 1 Sergey Korolew 2004-09-17 12:16:15 UTC
(In reply to comment #0)
Fixed in 3.0.7:

o   Dimitri van der Spek <dwspek@aboveit.nl>
    * Use the correct counter when copying group rids from the 
      user_info3 struct in pam_winbind.

2Samba team: please pay more attention to database !
Comment 2 Gerald (Jerry) Carter 2005-08-24 10:20:34 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.