Hello!
Before this post, i'm send 3 problems in 3.0.11
I'm compiled 3.0.12rc1 and found next:
1) Settings primary group .... problem solved, but question to developer
You append to mapping.c in smb_set_primary_group
ret = smbrun(add_script,NULL);
flush_pwnam_cache();
^^^^^^^^^^^^^^^^^^^^
But not check ret code .....if my script exit in code != 0, i'm change
primary group ... ( script "set primary group" still needed ? )
2) Next in this code is winbind, but debug message string have code
DEBUG(3,("smb_delete_group:
You use copy/paste ;)
This is affect in function: smb_add_user_group,smb_delete_user_group
smb_add_user_group have bug
if ( winbind_add_user_to_group( unix_user, unix_group ) ) {
DEBUG(3,("smb_delete_group: winbindd added user (%s) to the group
(%s)\n",
unix_user, unix_group));
return -1;
^^^^^^^^^^^^^^^^^^^^^^^^^^
needed return 0;
}
3) I'm analized problems 1
( user who not have privileges "add machine account" )
In function _samr_create_user ( srv_samr_nt.c ) you have code:
if ( can_add_account )
become_root();
And if user not have privileges(user|machine) you MAY CREATE USER (
posix account or machine account ) through SCRIPT :(((((
I'm change code to:
if ( can_add_account == False ) {
return NT_STATUS_ACCESS_DENIED;
}
it's fixed problem ....
I'm do simple test and is work correct, ... but i'm do not full test.
and I want to apologize for my english, well .. you understand ;)
Sergey Loskutov
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sergey Loskutov wrote:
| Hello!
|
| Before this post, i'm send 3 problems in 3.0.11
| I'm compiled 3.0.12rc1 and found next:
|
| 1) Settings primary group .... problem solved, but question to developer
| You append to mapping.c in smb_set_primary_group
| ret = smbrun(add_script,NULL);
| flush_pwnam_cache();
| ^^^^^^^^^^^^^^^^^^^^
| But not check ret code .....if my script exit in code != 0, i'm change
| primary group ... ( script "set primary group" still needed ? )
It's just flushing the internal pwnam cache. Semantically this is ok.
Probably not optimal. I'll look at it later.
| 2) Next in this code is winbind, but debug message string have code
| DEBUG(3,("smb_delete_group:
|
| You use copy/paste ;)
|
| This is affect in function: smb_add_user_group,smb_delete_user_group
|
| smb_add_user_group have bug
|
| if ( winbind_add_user_to_group( unix_user, unix_group ) ) {
| DEBUG(3,("smb_delete_group: winbindd added user (%s) to the group
| (%s)\n",
| unix_user, unix_group));
| return -1;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^
| needed return 0;
|
| }
The 'winbind local accounts' code is deprecated at this point. So this
code will eventually be removed anyways. However, I'll clean up the
debug messages and check return codes before the final 3.0.12.
| 3) I'm analized problems 1
| ( user who not have privileges "add machine account" )
|
| In function _samr_create_user ( srv_samr_nt.c ) you have code:
|
| if ( can_add_account )
| become_root();
|
| And if user not have privileges(user|machine) you MAY CREATE USER (
| posix account or machine account ) through SCRIPT :(((((
|
| I'm change code to:
|
| if ( can_add_account == False ) {
| return NT_STATUS_ACCESS_DENIED;
| }
| it's fixed problem ....
| I'm do simple test and is work correct, ... but i'm do
| not full test.
I've thought about this before. The problem is actually that
your 'add user script' can be run successfully as a non-root user.
A simple 'chmod 700 <script>; chown root <script>' will
solve this.
I'll look at it some more but this is not a pressing issue I don't
think. smbd is not doing anything that the normal user couldn't do
anyways. And your fix doesn't cover all the possible scenarios
(e.g. root user with no assigned privileges should still be able to join
clients to the domain).
Thanks for the feedback.
cheers, jerry
====================================================================Alleviating
the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCNaHJIR7qMdg1EfYRAgFkAJ9RYuBYrAJkidjOAg7M3ffe/bNo1ACgkV2e
AoI7f/tiRTxysi6x8wSQmPY=Rgb4
-----END PGP SIGNATURE-----
Gerald (Jerry) Carter write:>> Sergey Loskutov wrote: >> | Hello! >> | >> | Before this post, i'm send 3 problems in 3.0.11 >> | I'm compiled 3.0.12rc1 and found next: >> | >> | 1) Settings primary group .... problem solved, but question to developer >> | You append to mapping.c in smb_set_primary_group >> | ret = smbrun(add_script,NULL); >> | flush_pwnam_cache(); >> | ^^^^^^^^^^^^^^^^^^^^ >> | But not check ret code .....if my script exit in code != 0, i'm change >> | primary group ... ( script "set primary group" still needed ? ) >> > It's just flushing the internal pwnam cache. Semantically this is ok. > Probably not optimal. I'll look at it later.I'm know that you flushing the cache... but thank you>> >> | 3) I'm analized problems 1 >> | ( user who not have privileges "add machine account" ) >> | >> | In function _samr_create_user ( srv_samr_nt.c ) you have code: >> | >> | if ( can_add_account ) >> | become_root(); >> | >> | And if user not have privileges(user|machine) you MAY CREATE USER ( >> | posix account or machine account ) through SCRIPT :((((( >> | >> | I'm change code to: >> | >> | if ( can_add_account == False ) { >> | return NT_STATUS_ACCESS_DENIED; >> | } >> | it's fixed problem .... >> | I'm do simple test and is work correct, ... but i'm do >> | not full test. >> > I've thought about this before. The problem is actually that > your 'add user script' can be run successfully as a non-root user. > A simple 'chmod 700 <script>; chown root <script>' will solve this. > I'll look at it some more but this is not a pressing issue I don't > think. smbd is not doing anything that the normal user couldn't do > anyways. And your fix doesn't cover all the possible scenarios > (e.g. root user with no assigned privileges should still be able to join > clients to the domain).NO NO NO settings chmod or chown ..... Why need privileges ? :) I'm want settings privileges add machine to user, who not members in root .... Sample :) chmod 770 <script>; chown root."smart man" <script>; Look good :) User: John ( member in "smart man" ) User: Leon ( member in "smart man" ) I want give privileges for John, but not for Leon ... :) Why i must use setfacl|getfacl ..... i'm have privileges ..... you decision ... bad And anyway user who have uidNumber == 0 and not having privileges, not able join machine and users ;) i'm checked this before send code. And why i'm permit execute script if code semantic not allowed use ldap not member in root ? Check you ldap code ;) Thanks you help ! Sergey Loskutov