'RE: Primary GID based access when this GID is NOT part of resolved Windows security token'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba-technical
Subject:    RE: Primary GID based access when this GID is NOT part of resolved Windows security token
From:       "Burgess, Adam" <adam.burgess () hp ! com>
Date:       2013-09-19 10:01:00
Message-ID: C26565C47763B14CB12582D33062BE9A49BAE880 () G5W2732 ! americas ! hpqcorp ! net
[Download RAW message or body]

Is there really no developer responsible for design or coding for group mem=
bership evaluation, and/or the code for determining accessibility to files/=
directories?

I believe I have raised an important issue here but it seems it is not bein=
g taken seriously.

Regards,

Adam



From: Burgess, Adam
Sent: 16 September 2013 11:52
To: 'samba-technical@lists.samba.org'
Subject: RE: Primary GID based access when this GID is NOT part of resolved=
 Windows security token

Is there anyone who is responsible for group membership design able to comm=
ent?

This is a design question  to begin with.  I can not find clear documentati=
on for Samba to explain if a the primary gid for the UNIX account is consid=
ered to be a group the user is a member of or not.

Further to this question is how to handle the resulting problem if it is no=
t (the inconsistency of directory access, etc).

Also it raises the question of ACL inheritance.  If there is POSIX ACL gid =
default on a directory then any file created within it should have the perm=
ission defined applied to it for the UNIX gid of the creating process (in U=
NIX context this is the primary GID).  Should this ACL be added or not if g=
roup membership via token does not include this group?

Without answers to these questions it is not possible to plan an approach o=
r to know when we can raises issues as bugs.

Regards,

Adam

From: Burgess, Adam
Sent: 09 September 2013 16:45
To: 'samba-technical@lists.samba.org'
Subject: Primary GID based access when this GID is NOT part of resolved Win=
dows security token


We observe a difference between a Windows 7 client and Windows 2003/XP clie=
nt when accessing directories that should be accessible via the UNIX accoun=
ts primary group GID (when this group is not one that would resolve as memb=
ership for the user account via the user's Windows security token).  Window=
s 7 client refuses access to a directory that should be accessible based on=
 UNIX PGID for the UNIX user account's process context.

Debug of access via Windows clients shows subtle differences in the access_=
mask for the open requests but generally the check open rights functions re=
turn NT_STATUS_ACCESS_DENIED in all cases.  In the case of Win20003/XP this=
 status reply is ignored and access is still attempted by the client.  With=
 Windows 7 no access can be gained at all.

The following are relevant snips from level 10 debug for various client acc=
esses to a dir owned by root:PGID (mode 750).  All clients showing as denie=
d, but do show as status ok if read-execute is added for "other" or if grou=
p owner is a supplementary group.

smbd_check_open_rights: file PGIDACCESSONLYDIR requesting 0x81 returning 0x=
1 (NT_STATUS_ACCESS_DENIED)
smbd_check_open_rights: file PGIDACCESSONLYDIR requesting 0x20089 returning=
 0x20009 (NT_STATUS_ACCESS_DENIED)
smbd_check_open_rights: file PGIDACCESSONLYDIR requesting 0x100001 returnin=
g 0x100001 (NT_STATUS_ACCESS_DENIED)
smbd_check_open_rights: file PGIDACCESSONLYDIR requesting 0x100080 returnin=
g 0x100000 (NT_STATUS_ACCESS_DENIED)

Note that the Windows access failure occurs only for directory access and n=
ot for regular files!

Ignoring for now why the two different client behaviours (either some subtl=
e difference in the requests or the way the Samba reply is dealt with) the =
question is what should be the correct behaviour?

We are running Samba 3.6.6 on Solaris with 16 limit on supplementary group,=
 using ADS security, Kerberos PAC based group membership resolution via win=
bindd IDMAP lookup to simple LDAP backend.


If we add the AD user account as a member of the PGID mapped AD group accou=
nt as a workaround, then this would consume a supplementary group slot in t=
he smbd process context which would break any access for accounts that are =
already in 16 supplementary groups (syssetgroups PANIC etc).

Also it should be noted that once any access is given to a directory any fi=
les that might be created would be created with the user accounts PGID as i=
ts group owner.  This makes it even more bizarre that this group would not =
be considered as part of the membership when using winbind idmapping.  I wo=
uld think that the Windows token SIDs should be combined with the UNIX cont=
ext PGID's resolved SID for the expected behaviour from a UNIX perspective.=
 I can see from an AD/Windows perspective it makes more sense that only PAC=
 SIDs are used (but this creates an inability to use the already constraine=
d 16 supplementary groups and to use PGID at all for resource control).  PG=
ID based resource control is required on Solaris when using a supplementary=
 group membership would not work due to the number of members total name st=
ring length would blow the NSS buf limit for group membership list (eg 8K).

What is the behaviour intended to be - implicit membership to UNIX PGID or =
not? Should the Windows client be ignoring the ACCESS_DENIED replies?  How =
can we resolve this problem for Windows 7 client access to UNIX PGID access=
 based resources?

Regards,

Adam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic