[Pkg-samba-maint] Bug#912193: samba: Ignores UNIX groups

Paul Szabo paul.szabo at sydney.edu.au
Mon Oct 29 03:00:33 GMT 2018 

Package: samba
Version: 2:4.5.12+dfsg-2+deb9u3
Severity: normal
Tags: patch

Dear Maintainer,

Samba ignores the UNIX secondary groups of the UNIX user; then file
permissions (based on those secondary groups) fail. (Instead, Samba
adds the "Windows groups" that the "Windows user" belongs to, but
that is probably useless or wrong for file accesses.)

The following patch seems to solve the issue.

(Seems to me that Samba4.9 suffers from the same issue.)

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 9.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.110-pk09.23-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba depends on:
ii  adduser              3.115
ii  dpkg                 1.18.25
ii  init-system-helpers  1.48
ii  libbsd0              0.8.3-1
ii  libc6                2.24-11+deb9u3
ii  libldb1              2:1.1.27-1+b1
ii  libpam-modules       1.1.8-3.6
ii  libpam-runtime       1.1.8-3.6
ii  libpopt0             1.16-10+b2
ii  libpython2.7         2.7.13-2+deb9u3
ii  libtalloc2           2.1.8-1
ii  libtdb1              1.3.11-2
ii  libtevent0           0.9.31-1
ii  libwbclient0         2:4.5.12+dfsg-2+deb9u3
ii  lsb-base             9.20161125
ii  procps               2:3.3.12-3+deb9u1
ii  python               2.7.13-2
ii  python-dnspython     1.15.0-1
ii  python-samba         2:4.5.12+dfsg-2+deb9u3
ii  python2.7            2.7.13-2+deb9u3
ii  samba-common         2:4.5.12+dfsg-2+deb9u3
ii  samba-common-bin     2:4.5.12+dfsg-2+deb9u3
ii  samba-libs           2:4.5.12+dfsg-2+deb9u3
ii  tdb-tools            1.3.11-2
ii  update-inetd         4.44

Versions of packages samba recommends:
ii  attr                1:2.4.47-2+b2
ii  logrotate           3.11.0-0.1
ii  samba-dsdb-modules  2:4.5.12+dfsg-2+deb9u3
ii  samba-vfs-modules   2:4.5.12+dfsg-2+deb9u3

Versions of packages samba suggests:
pn  bind9          <none>
pn  bind9utils     <none>
pn  ctdb           <none>
pn  ldb-tools      <none>
ii  ntp            1:4.2.8p10+dfsg-3+deb9u2
pn  smbldap-tools  <none>
pn  ufw            <none>
ii  winbind        2:4.5.12+dfsg-2+deb9u3

-- no debconf information
-------------- next part --------------
--- ./samba-4.5.12/source3/auth/auth_util.c.orig	2016-12-09 01:09:52.000000000 +1100
+++ ./samba-4.5.12/source3/auth/auth_util.c	2018-10-29 08:53:21.216263177 +1100
@@ -531,6 +531,7 @@
 		/* Just copy the token, it has already been finalised
 		 * (nasty hack to support a cached guest/system session_info
 		 */
+		/* PSz - I have not noticed that this copy would succeed... */
 
 		session_info->security_token = dup_nt_token(session_info, server_info->security_token);
 		if (!session_info->security_token) {
@@ -551,6 +552,16 @@
 		return NT_STATUS_OK;
 	}
 
+/*
+ *	DEBUG(10, ("PSz - as things were after copy of server_info->security_token\n"));
+ *	security_token_debug(DBGC_AUTH, 10, session_info->security_token);
+ *	debug_unix_user_token(DBGC_AUTH, 10,
+ *			      session_info->unix_token->uid,
+ *			      session_info->unix_token->gid,
+ *			      session_info->unix_token->ngroups,
+ *			      session_info->unix_token->groups);
+ */
+
 	/*
 	 * If winbind is not around, we can not make much use of the SIDs the
 	 * domain controller provided us with. Likewise if the user name was
@@ -578,47 +589,93 @@
 							  &session_info->security_token);
 	}
 
+/*
+ *	DEBUG(10, ("PSz - as things were after create_token_from_username/create_local_nt_token_from_info3\n"));
+ *	security_token_debug(DBGC_AUTH, 10, session_info->security_token);
+ *	debug_unix_user_token(DBGC_AUTH, 10,
+ *			      session_info->unix_token->uid,
+ *			      session_info->unix_token->gid,
+ *			      session_info->unix_token->ngroups,
+ *			      session_info->unix_token->groups);
+ */
+
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
 	/* Convert the SIDs to gids. */
 
+	/*
+	 * PSz - Why zero them here? May have initialized them already,
+	 * in copy of security_token. Was that wrong (wasted)?
+	 */
 	session_info->unix_token->ngroups = 0;
 	session_info->unix_token->groups = NULL;
 
-	t = session_info->security_token;
-
-	ids = talloc_array(talloc_tos(), struct unixid,
-			   t->num_sids);
-	if (ids == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (!sids_to_unixids(t->sids, t->num_sids, ids)) {
-		TALLOC_FREE(ids);
-		return NT_STATUS_NO_MEMORY;
+	DEBUG(10, ("PSz - create_local_token() used to add SID groups ... doing UNIX groups instead\n"));
+	/*
+	 * PSz - Used to get SIDs from security_token, convert to GID
+	 * and add to GROUPS; then later convert each GID back to SID
+	 * and add back into security_token.
+	 * We may not "need" those NT groups in our UNIX groups, and
+	 * adding them back seems useless.
+	 */
+/*
+ *	t = session_info->security_token;
+ *
+ *	ids = talloc_array(talloc_tos(), struct unixid,
+ *			   t->num_sids);
+ *	if (ids == NULL) {
+ *		return NT_STATUS_NO_MEMORY;
+ *	}
+ *
+ *	if (!sids_to_unixids(t->sids, t->num_sids, ids)) {
+ *		TALLOC_FREE(ids);
+ *		return NT_STATUS_NO_MEMORY;
+ *	}
+ *
+ *	for (i=0; i<t->num_sids; i++) {
+ *
+ *		if (i == 0 && ids[i].type != ID_TYPE_BOTH) {
+ *			continue;
+ *		}
+ *
+ *		if (ids[i].type != ID_TYPE_GID &&
+ *		    ids[i].type != ID_TYPE_BOTH) {
+ *			DEBUG(10, ("Could not convert SID %s to gid, "
+ *				   "ignoring it\n",
+ *				   sid_string_dbg(&t->sids[i])));
+ *			continue;
+ *		}
+ *		if (!add_gid_to_array_unique(session_info, ids[i].id,
+ *					     &session_info->unix_token->groups,
+ *					     &session_info->unix_token->ngroups)) {
+ *			return NT_STATUS_NO_MEMORY;
+ *		}
+ *	}
+ */
+	/* PSz - Add UNIX groups, instead. */
+	if (1) {
+	  gid_t *gids = NULL;
+	  uint32_t num_gids = 0;
+	  struct passwd *pass = NULL;
+	  int i;
+	  pass = getpwuid_alloc(mem_ctx, session_info->unix_token->uid);
+	  if (pass) {
+	    if (getgroups_unix_user(mem_ctx, pass->pw_name, pass->pw_gid, &gids, &num_gids)) {
+	      for (i=0; i<num_gids; i++) {
+		if (!add_gid_to_array_unique(
+			session_info, gids[i],
+			&session_info->unix_token->groups,
+			&session_info->unix_token->ngroups)) {
+		  DEBUG(3, ("Failed to add UNIX GID %d (number %d of %d) to unix_token\n", gids[i], i, num_gids));
+		  return NT_STATUS_NO_MEMORY;
+		}
+	      }
+	    }
+	  }
 	}
 
-	for (i=0; i<t->num_sids; i++) {
-
-		if (i == 0 && ids[i].type != ID_TYPE_BOTH) {
-			continue;
-		}
-
-		if (ids[i].type != ID_TYPE_GID &&
-		    ids[i].type != ID_TYPE_BOTH) {
-			DEBUG(10, ("Could not convert SID %s to gid, "
-				   "ignoring it\n",
-				   sid_string_dbg(&t->sids[i])));
-			continue;
-		}
-		if (!add_gid_to_array_unique(session_info, ids[i].id,
-					     &session_info->unix_token->groups,
-					     &session_info->unix_token->ngroups)) {
-			return NT_STATUS_NO_MEMORY;
-		}
-	}
 
 	/*
 	 * Add the "Unix Group" SID for each gid to catch mapped groups

More information about the Pkg-samba-maint mailing list