sshd and pam_winbind (Samba)

Andreas Schneider asn at
Tue Feb 12 02:55:44 AEDT 2019

Hello openssh developers,

long time no see :-)

there is a bug in sshd with *nix machines joined to Active Directory using 
Samba's winbind daemon.

The problem is that with cold caches, a user logging in via ssh gets possibly 
the wrong primary gid assigned. Let me try to explain in detail:

In Active Directory (AD) you only get a correct access token (group 
memberships of a user) during authentication. Only a Domain Controller (DC) is 
able to calculate the access token as it as the required permission to collect 
the information in the forest.

When Samba authenticates a user using winbindd. We either authenticate the 
user using Kerberos or NTLM. We get the access token sent back upon successful 
authentication and store it in a cache. All system calls like getent are 
answered looking up the information from that cache.

On a new connection the openssh server checks if the connecting username 
exists using getpwnam() it then stores the 'struct passwd' in the session 

If the gets authenticated using PAM through pam_winbind we authencticate the 
user against our DC, get correct access token and cache it. However the 
openssh server doesn't update the passwd structure after a successful PAM 
authentication, it sets up the user context (setuid, setgid, initgroups) using 
the outdated information stored in the session structure.

The openssh server should update the passwd structure using getpwuid() before 
it sets up the users context (setuid, setgid, initgroups)!

This is probably easy to fix, the question is when you want to call getpwuid() 
directly after a successful PAM conversation or before dropping privileges?

Best regards,


Andreas Schneider                 asn at
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the openssh-unix-dev mailing list