Project

General

Profile

Bug #1526

should allow domain groups as member of local groups

Added by Gordon Ross almost 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Start date:
2011-09-16
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

You can add a domain group to a local group, i.e.

   smbadm add-member -m "MyDomain/Domain Admins" administrators

but it doesn't work. Only domain users work, not domain groups.

The group is there in the groups DB, but when you logon, your token does not contain the SIDs from these local group memberships. (Use the mdb "::cred -v" dcmd in #1525 to check.)

This was also apparently the subject of OpenSolaris CR:
6656828 Should be able to add domain groups as member of local groups


Files

good-cred.txt (1.55 KB) good-cred.txt Gordon Ross, 2011-11-05 10:05 PM

History

#1

Updated by Gordon Ross almost 8 years ago

  • Status changed from New to In Progress
  • Assignee set to Gordon Ross
#2

Updated by Gordon Ross almost 8 years ago

In $SRC/lib/smbsrv/libsmb/common/smb_sam.c smb_sam_usr_groups()
adds local groups to the token where the user's primary SID matches any of the group member SIDs.
That algorithm is incomplete. It really should match all the users SIDs against the local groups, both primary and all the SIDs gathered from the AD server at logon time.

There was also a second problem, where "smbadm add-member" would restrict the type of account it would add to be local users. That was just plain wrong. On windows, you can add users, groups, (whatever you like) to groups.

#3

Updated by Gordon Ross almost 8 years ago

Test method for fix verification:

+ On the AD server, make some new user that's a member of the domain\administrators group (i.e. "admin1")
+ Join the illumos machine to a domain
+ Add the domain\Administrators group to the local administrators group (note 1)
+ Logon to the illumos machine as domain\admin1
+ Examine the credential using mdb as follows:

::smblist -uv
{cred addr} ::cred -v

See the attached good-cred as an example.

After the fix, the credential will have 0x10 in the flags,
and the kSID list will include: S-1-5-32-544

And, of course, verify that domain\admin1 can access
files and directories that are restricted to Administrators.

#4

Updated by Gordon Ross almost 8 years ago

  • Status changed from In Progress to Resolved
changeset:   13511:0e6c45a1423b
tag:         tip
user:        Gordon Ross <gwr@nexenta.com>
date:        Tue Nov 08 16:22:36 2011 -0500

description:
    1526 should allow domain groups as member of local groups
    Reviewed by: Garrett D'Amore <garrett@nexenta.com>
    Reviewed by: Dan McDonald <danmcd@nexenta.com>
    Reviewed by: Richard Lowe <richlowe@richlowe.net>
    Approved by: Garrett D'Amore <garrett@nexenta.com>

modified:
   usr/src/cmd/smbsrv/smbadm/smbadm.c
   usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c
   usr/src/lib/smbsrv/libsmb/common/smb_sam.c
   usr/src/man/man1m/smbadm.1m

Also available in: Atom PDF