Bug 7507 - init_sam_from_ldap maps primary group sid in idmap-uid cache
Summary: init_sam_from_ldap maps primary group sid in idmap-uid cache
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.5.3
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-10 04:54 UTC by Michael Adam
Modified: 2011-08-27 08:47 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Adam 2010-06-10 04:54:06 UTC
When a user logs in, its primaray group sid mapping
is stored in the gid_sid memcache, but in the sid2uid
idmap cache (gencache.tdb). This wrong cache entry lives
for a while and can leads to strange and erratic errors.

One possible consequence is that a set-security-descriptor
call with an ace for the group sid in question will result
in a broken posix acl on disk with _user_ type ace for the
user with the group's gid as uid.

This results in the user having access rights he is not
supposed to have.

This bug applies to master, 3.5.3 and also in 3.4.8.

The fix is minimal and will follow next.
Comment 1 Michael Adam 2010-06-10 05:18:20 UTC
I have pushed the fix to master in commit ba809ecb8ab217e4376bf75d2300e146b62b88eb.

http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=ba809ecb8ab217e4376bf75d2300e146b62b88eb

The commit cherry-picks cleanly to v3-4-test and v3-5-test.

Unfortunately, I have made a silly typo in the commit message,
in writing 7505 instead of 7507 :-/

Michael
Comment 2 Volker Lendecke 2010-06-10 05:43:38 UTC
Patch looks good, but for the release branches we should fix that commit message typo. Karolin, do you want me to provide fixed patches?

Thanks,

Volker
Comment 3 Karolin Seeger 2010-06-10 05:54:14 UTC
(In reply to comment #2)
> Patch looks good, but for the release branches we should fix that commit
> message typo. Karolin, do you want me to provide fixed patches?

No, I will correct the typo myself.

Comment 4 Karolin Seeger 2010-06-10 05:57:52 UTC
Pushed to v3-5-test and v3-4-test.