sshd and pam_winbind (Samba)
asn at cryptomilk.org
Tue Feb 12 02:55:44 AEDT 2019
Hello openssh developers,
long time no see :-)
there is a bug in sshd with *nix machines joined to Active Directory using
Samba's winbind daemon.
The problem is that with cold caches, a user logging in via ssh gets possibly
the wrong primary gid assigned. Let me try to explain in detail:
In Active Directory (AD) you only get a correct access token (group
memberships of a user) during authentication. Only a Domain Controller (DC) is
able to calculate the access token as it as the required permission to collect
the information in the forest.
When Samba authenticates a user using winbindd. We either authenticate the
user using Kerberos or NTLM. We get the access token sent back upon successful
authentication and store it in a cache. All system calls like getent are
answered looking up the information from that cache.
On a new connection the openssh server checks if the connecting username
exists using getpwnam() it then stores the 'struct passwd' in the session
If the gets authenticated using PAM through pam_winbind we authencticate the
user against our DC, get correct access token and cache it. However the
openssh server doesn't update the passwd structure after a successful PAM
authentication, it sets up the user context (setuid, setgid, initgroups) using
the outdated information stored in the session structure.
The openssh server should update the passwd structure using getpwuid() before
it sets up the users context (setuid, setgid, initgroups)!
This is probably easy to fix, the question is when you want to call getpwuid()
directly after a successful PAM conversation or before dropping privileges?
Andreas Schneider asn at cryptomilk.org
More information about the openssh-unix-dev