Bug 33370 – Authenticated Users idmap issues s3 memberserver

Bug 33370 - Authenticated Users idmap issues s3 memberserver


Summary:	Authenticated Users idmap issues s3 memberserver

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Samba
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-14 12:17 CET by Tim Petersen
Modified:	2018-04-12 15:11 CEST (History)
CC List:	3 users (show)

See Also:	27762 45840
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.257
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2015021121000159, 2018041221000737
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Petersen

2013-11-14 12:17:16 CET

A s3 Memberserver within a S4 environment is not able to handle the special group "Authenticated Users".

If you set group permissions via setfacl for a share, you get "Unix Group\Authenticated Users" as effective permissions shown in windows.
GPO-related things (deploying files for example) with this share will not work then.
If you correct the permissions to "Authenticated Users" via Windows, it will work.
"getfacl" only shows an ID then:
"default:group:55002:r-x"

root@member:~# univention-ldapsearch gidNumber=55002
# S-1-5-11, idmap, univention, wurst.foo
dn: sambaSID=S-1-5-11,cn=idmap,cn=univention,dc=wurst,dc=foo
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 55002
sambaSID: S-1-5-11

root@member:~# univention-ldapsearch cn="Authenticated Users"
dn: cn=Authenticated Users,cn=groups,dc=wurst,dc=foo
objectClass: top
objectClass: posixGroup
objectClass: univentionGroup
objectClass: sambaGroupMapping
objectClass: univentionObject
univentionObjectType: groups/group
cn: Authenticated Users
sambaSID: S-1-5-11
sambaGroupType: 2
gidNumber: 5020
uniqueMember: cn=DC Slave Hosts,cn=groups,dc=wurst,dc=foo
uniqueMember: cn=Windows Hosts,cn=groups,dc=wurst,dc=foo


root@member:~# getent group "Authenticated Users"
Authenticated Users:*:5020:join-slave,Administrator,winclient$,WIN7PRO$,WIN7PROFLUR$,join-backup,master$

Comment 1 Arvid Requate

2013-12-03 13:31:28 CET

I could imagine, that the Windows client sends a security descriptor with the SID of the builtin group "Authenticated Users" S-1-5-11 and the smbd on the UCS Memberserver asks winbind to translate the SID into a Posix-ID. winbind looks into it's list of IDMAP backends per domain, as defined in smb.conf. Since the SID falls into the BUILTIN domain, it doesn't try an nss lookup (as would be dne for the domain), but uses the LDAP allocator instead, which generates the sambaIdmapEntry object.

If this theory is found to be valid in a test, then it might be an option to add

        idmap config BUILTIN : backend = nss
        idmap config BUILTIN : range = 1000-54999

to smb.conf. Don't know if winbind accepts that and what other side effects that might have.

Comment 2 Arvid Requate

2014-02-05 18:21:10 CET

* Good: Adding the following lines to the smb.conf of the member seems to fix this for "Authenticated Users" and other SIDs in the "NT AUTHORITY" domain:
===============================================
idmap config NT AUTHORITY : backend = nss
idmap config NT AUTHORITY : range = 1000-54999
===============================================
It makes "wbinfo -Y S-1-5-11" return the proper gidNumber from the sambaGroupMapping object instead of creating (or picking and existing) sambaIdmapEntry.


* Samba4 domain only: Somehow the Memberserver winbind behaves differently in a Samba3 domain, it cannot resolve this SID even if I manually create the corresponding group object in LDAP and apply this workaround.


* Strange: This workaround works for all SIDs in the "NT AUTHORITY" domain with one exception: It doesn't for "Enterprise Domain Controllers":
=====================================================
root@member43:~# wbinfo -Y S-1-5-9
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-9 to gid
=====================================================


* Open: The same trick doesn't work for "BUILTIN" SIDs (S-1-5-32-*):
=====================================================
root@member43:~# wbinfo -Y S-1-5-32-544
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to gid
=====================================================

Comment 3 Stefan Gohmann

2014-10-28 22:21:32 CET

Moved to UCS 3.2-4-errata.

Comment 4 Arvid Requate

2014-12-01 14:32:53 CET

In Samba4-Domains this workaround can be used:

root@member:~# cat >> /etc/samba/local.conf <<%EOF
idmap config NT AUTHORITY : backend = nss
idmap config NT AUTHORITY : range = 1000-54999
%EOF

root@member:~# ucr commit /etc/samba/smb.conf
root@member:~# /etc/init.d/samba restart

Comment 5 Tim Petersen

2015-02-11 09:38:04 CET

Requested at 2015021121000159 for 3.2-4

Comment 6 Arvid Requate

2017-04-24 18:08:52 CEST

This issue has been filed against UCS 3.2.

UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this is still an issue in newer UCS versions, please use "Clone this bug".
In this case please provide detailed information on how this issue is affecting
you.