Bug #1526
closed
should allow domain groups as member of local groups
0%
Description
You can add a domain group to a local group, i.e.
smbadm add-member -m "MyDomain/Domain Admins" administrators
but it doesn't work. Only domain users work, not domain groups.
The group is there in the groups DB, but when you logon, your token does not contain the SIDs from these local group memberships. (Use the mdb "::cred -v" dcmd in #1525 to check.)
This was also apparently the subject of OpenSolaris CR:
6656828 Should be able to add domain groups as member of local groups
Files
Updated by Gordon Ross about 12 years ago
- Status changed from New to In Progress
- Assignee set to Gordon Ross
Updated by Gordon Ross about 12 years ago
In $SRC/lib/smbsrv/libsmb/common/smb_sam.c smb_sam_usr_groups()
adds local groups to the token where the user's primary SID matches any of the group member SIDs.
That algorithm is incomplete. It really should match all the users SIDs against the local groups, both primary and all the SIDs gathered from the AD server at logon time.
There was also a second problem, where "smbadm add-member" would restrict the type of account it would add to be local users. That was just plain wrong. On windows, you can add users, groups, (whatever you like) to groups.
Updated by Gordon Ross almost 12 years ago
- File good-cred.txt good-cred.txt added
Test method for fix verification:
+ On the AD server, make some new user that's a member of the domain\administrators group (i.e. "admin1")
+ Join the illumos machine to a domain
+ Add the domain\Administrators group to the local administrators group (note 1)
+ Logon to the illumos machine as domain\admin1
+ Examine the credential using mdb as follows:
::smblist -uv
{cred addr} ::cred -v
See the attached good-cred as an example.
After the fix, the credential will have 0x10 in the flags,
and the kSID list will include: S-1-5-32-544
And, of course, verify that domain\admin1 can access
files and directories that are restricted to Administrators.
Updated by Gordon Ross almost 12 years ago
- Status changed from In Progress to Resolved
changeset: 13511:0e6c45a1423b
tag: tip
user: Gordon Ross <gwr@nexenta.com>
date: Tue Nov 08 16:22:36 2011 -0500
description:
1526 should allow domain groups as member of local groups
Reviewed by: Garrett D'Amore <garrett@nexenta.com>
Reviewed by: Dan McDonald <danmcd@nexenta.com>
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Approved by: Garrett D'Amore <garrett@nexenta.com>
modified:
usr/src/cmd/smbsrv/smbadm/smbadm.c
usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c
usr/src/lib/smbsrv/libsmb/common/smb_sam.c
usr/src/man/man1m/smbadm.1m