Hello openssh developers, long time no see :-) there is a bug in sshd with *nix machines joined to Active Directory using Samba's winbind daemon. The problem is that with cold caches, a user logging in via ssh gets possibly the wrong primary gid assigned. Let me try to explain in detail: In Active Directory (AD) you only get a correct access token (group memberships of a user) during authentication. Only a Domain Controller (DC) is able to calculate the access token as it as the required permission to collect the information in the forest. When Samba authenticates a user using winbindd. We either authenticate the user using Kerberos or NTLM. We get the access token sent back upon successful authentication and store it in a cache. All system calls like getent are answered looking up the information from that cache. On a new connection the openssh server checks if the connecting username exists using getpwnam() it then stores the 'struct passwd' in the session structure. If the gets authenticated using PAM through pam_winbind we authencticate the user against our DC, get correct access token and cache it. However the openssh server doesn't update the passwd structure after a successful PAM authentication, it sets up the user context (setuid, setgid, initgroups) using the outdated information stored in the session structure. The openssh server should update the passwd structure using getpwuid() before it sets up the users context (setuid, setgid, initgroups)! This is probably easy to fix, the question is when you want to call getpwuid() directly after a successful PAM conversation or before dropping privileges? Best regards, Andreas -- Andreas Schneider asn@xxxxxxxxxxxxxx GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
