Hello! Before this post, i'm send 3 problems in 3.0.11 I'm compiled 3.0.12rc1 and found next: 1) Settings primary group .... problem solved, but question to developer You append to mapping.c in smb_set_primary_group ret = smbrun(add_script,NULL); flush_pwnam_cache(); ^^^^^^^^^^^^^^^^^^^^ But not check ret code .....if my script exit in code != 0, i'm change primary group ... ( script "set primary group" still needed ? ) 2) Next in this code is winbind, but debug message string have code DEBUG(3,("smb_delete_group: You use copy/paste ;) This is affect in function: smb_add_user_group,smb_delete_user_group smb_add_user_group have bug if ( winbind_add_user_to_group( unix_user, unix_group ) ) { DEBUG(3,("smb_delete_group: winbindd added user (%s) to the group (%s)\n", unix_user, unix_group)); return -1; ^^^^^^^^^^^^^^^^^^^^^^^^^^ needed return 0; } 3) I'm analized problems 1 ( user who not have privileges "add machine account" ) In function _samr_create_user ( srv_samr_nt.c ) you have code: if ( can_add_account ) become_root(); And if user not have privileges(user|machine) you MAY CREATE USER ( posix account or machine account ) through SCRIPT :((((( I'm change code to: if ( can_add_account == False ) { return NT_STATUS_ACCESS_DENIED; } it's fixed problem .... I'm do simple test and is work correct, ... but i'm do not full test. and I want to apologize for my english, well .. you understand ;) Sergey Loskutov
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sergey Loskutov wrote: | Hello! | | Before this post, i'm send 3 problems in 3.0.11 | I'm compiled 3.0.12rc1 and found next: | | 1) Settings primary group .... problem solved, but question to developer | You append to mapping.c in smb_set_primary_group | ret = smbrun(add_script,NULL); | flush_pwnam_cache(); | ^^^^^^^^^^^^^^^^^^^^ | But not check ret code .....if my script exit in code != 0, i'm change | primary group ... ( script "set primary group" still needed ? ) It's just flushing the internal pwnam cache. Semantically this is ok. Probably not optimal. I'll look at it later. | 2) Next in this code is winbind, but debug message string have code | DEBUG(3,("smb_delete_group: | | You use copy/paste ;) | | This is affect in function: smb_add_user_group,smb_delete_user_group | | smb_add_user_group have bug | | if ( winbind_add_user_to_group( unix_user, unix_group ) ) { | DEBUG(3,("smb_delete_group: winbindd added user (%s) to the group | (%s)\n", | unix_user, unix_group)); | return -1; | ^^^^^^^^^^^^^^^^^^^^^^^^^^ | needed return 0; | | } The 'winbind local accounts' code is deprecated at this point. So this code will eventually be removed anyways. However, I'll clean up the debug messages and check return codes before the final 3.0.12. | 3) I'm analized problems 1 | ( user who not have privileges "add machine account" ) | | In function _samr_create_user ( srv_samr_nt.c ) you have code: | | if ( can_add_account ) | become_root(); | | And if user not have privileges(user|machine) you MAY CREATE USER ( | posix account or machine account ) through SCRIPT :((((( | | I'm change code to: | | if ( can_add_account == False ) { | return NT_STATUS_ACCESS_DENIED; | } | it's fixed problem .... | I'm do simple test and is work correct, ... but i'm do | not full test. I've thought about this before. The problem is actually that your 'add user script' can be run successfully as a non-root user. A simple 'chmod 700 <script>; chown root <script>' will solve this. I'll look at it some more but this is not a pressing issue I don't think. smbd is not doing anything that the normal user couldn't do anyways. And your fix doesn't cover all the possible scenarios (e.g. root user with no assigned privileges should still be able to join clients to the domain). Thanks for the feedback. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCNaHJIR7qMdg1EfYRAgFkAJ9RYuBYrAJkidjOAg7M3ffe/bNo1ACgkV2e AoI7f/tiRTxysi6x8wSQmPY=Rgb4 -----END PGP SIGNATURE-----
Gerald (Jerry) Carter write:>> Sergey Loskutov wrote: >> | Hello! >> | >> | Before this post, i'm send 3 problems in 3.0.11 >> | I'm compiled 3.0.12rc1 and found next: >> | >> | 1) Settings primary group .... problem solved, but question to developer >> | You append to mapping.c in smb_set_primary_group >> | ret = smbrun(add_script,NULL); >> | flush_pwnam_cache(); >> | ^^^^^^^^^^^^^^^^^^^^ >> | But not check ret code .....if my script exit in code != 0, i'm change >> | primary group ... ( script "set primary group" still needed ? ) >> > It's just flushing the internal pwnam cache. Semantically this is ok. > Probably not optimal. I'll look at it later.I'm know that you flushing the cache... but thank you>> >> | 3) I'm analized problems 1 >> | ( user who not have privileges "add machine account" ) >> | >> | In function _samr_create_user ( srv_samr_nt.c ) you have code: >> | >> | if ( can_add_account ) >> | become_root(); >> | >> | And if user not have privileges(user|machine) you MAY CREATE USER ( >> | posix account or machine account ) through SCRIPT :((((( >> | >> | I'm change code to: >> | >> | if ( can_add_account == False ) { >> | return NT_STATUS_ACCESS_DENIED; >> | } >> | it's fixed problem .... >> | I'm do simple test and is work correct, ... but i'm do >> | not full test. >> > I've thought about this before. The problem is actually that > your 'add user script' can be run successfully as a non-root user. > A simple 'chmod 700 <script>; chown root <script>' will solve this. > I'll look at it some more but this is not a pressing issue I don't > think. smbd is not doing anything that the normal user couldn't do > anyways. And your fix doesn't cover all the possible scenarios > (e.g. root user with no assigned privileges should still be able to join > clients to the domain).NO NO NO settings chmod or chown ..... Why need privileges ? :) I'm want settings privileges add machine to user, who not members in root .... Sample :) chmod 770 <script>; chown root."smart man" <script>; Look good :) User: John ( member in "smart man" ) User: Leon ( member in "smart man" ) I want give privileges for John, but not for Leon ... :) Why i must use setfacl|getfacl ..... i'm have privileges ..... you decision ... bad And anyway user who have uidNumber == 0 and not having privileges, not able join machine and users ;) i'm checked this before send code. And why i'm permit execute script if code semantic not allowed use ldap not member in root ? Check you ldap code ;) Thanks you help ! Sergey Loskutov