On Mon, 11 Feb 2019, Andreas Schneider wrote: > Hello openssh developers, > > long time no see :-) > > there is a bug in sshd with *nix machines joined to Active Directory using > Samba's winbind daemon. > > The problem is that with cold caches, a user logging in via ssh gets possibly > the wrong primary gid assigned. Let me try to explain in detail: > > In Active Directory (AD) you only get a correct access token (group > memberships of a user) during authentication. Only a Domain Controller (DC) is > able to calculate the access token as it as the required permission to collect > the information in the forest. > > When Samba authenticates a user using winbindd. We either authenticate the > user using Kerberos or NTLM. We get the access token sent back upon successful > authentication and store it in a cache. All system calls like getent are > answered looking up the information from that cache. > > On a new connection the openssh server checks if the connecting username > exists using getpwnam() it then stores the 'struct passwd' in the session > structure. > > If the gets authenticated using PAM through pam_winbind we authencticate the > user against our DC, get correct access token and cache it. However the > openssh server doesn't update the passwd structure after a successful PAM > authentication, it sets up the user context (setuid, setgid, initgroups) using > the outdated information stored in the session structure. > > The openssh server should update the passwd structure using getpwuid() before > it sets up the users context (setuid, setgid, initgroups)! > > This is probably easy to fix, the question is when you want to call getpwuid() > directly after a successful PAM conversation or before dropping privileges? I don't want to support struct passwd fiddling via PAM - it makes the server considerably more difficult to reason about. I'm pretty sure the other developers feel the same way. IMO a nis/nsswitch module is the right way to implement this sort of functionality. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev