Bug 6199 - Handle nested groups and privileges
Summary: Handle nested groups and privileges
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Matthias Dieter Wallnöfer
URL: http://repo.or.cz/w/Samba/mdw.git?a=c...
Keywords:
: 6552 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-03-20 11:33 UTC by Matthieu Patou
Modified: 2009-07-31 08:03 UTC (History)
0 users

See Also:


Attachments
Begin of a patch (5.15 KB, patch)
2009-07-17 01:35 UTC, Matthias Dieter Wallnöfer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-03-20 11:33:55 UTC
Samba4 do not handle well groups of groups.
If a user U is member of group G1 which is itself member of group G2 and if permission are granted for member of group G2 then  U will not be granted this permission.

You can reproduce the problem with this method: 
create a user
put him in Domain Admins group(CN=Domain Admins,CN=Users,DC=....) which is part of Administrators group (CN=Administrators,CN=Builtin,DC=....) and try to open ADCU.
You will not be granted to add users, groups, or modify them.

Now put this user directly in group Administrators and you will have the rights to do what ever you want in ADCU.
Comment 1 Matthias Dieter Wallnöfer 2009-04-13 08:37:41 UTC
Good, this is the problem of nested groups. We aren't supporting this properly yet.
Comment 2 Matthieu Patou 2009-06-13 15:57:12 UTC
Any news on this ? 
Comment 3 Matthias Dieter Wallnöfer 2009-07-15 07:30:21 UTC
*** Bug 6552 has been marked as a duplicate of this bug. ***
Comment 4 Matthias Dieter Wallnöfer 2009-07-17 01:35:27 UTC
Created attachment 4435 [details]
Begin of a patch

I began to write a patch which enrolls the "memberOf" attributes recursively. For now I have the problem that it doesn't work on my test system. It seems that the issue depends on the "talloc_realloc" function which doesn't seem to reallocate the memory properly. So after the second call, I get always a SEGFAULT on the line after it (*res_sids[*num_res_sids]=...).
Comment 5 Matthias Dieter Wallnöfer 2009-07-17 09:14:01 UTC
Comment on attachment 4435 [details]
Begin of a patch

I think I don't add patches anymore here. Please look at the URL.
Comment 6 Matthias Dieter Wallnöfer 2009-07-31 08:03:09 UTC
Fixed in master trough my patch.