sshd and pam_winbind (Samba)

Andreas Schneider asn at cryptomilk.org
Tue Feb 12 19:47:37 AEDT 2019 

On Tuesday, February 12, 2019 12:06:06 AM CET Damien Miller wrote:
> On Mon, 11 Feb 2019, Andreas Schneider wrote:
> > Hello openssh developers,
> > 
> > long time no see :-)
> > 
> > there is a bug in sshd with *nix machines joined to Active Directory using
> > Samba's winbind daemon.
> > 
> > The problem is that with cold caches, a user logging in via ssh gets
> > possibly the wrong primary gid assigned. Let me try to explain in detail:
> > 
> > In Active Directory (AD) you only get a correct access token (group
> > memberships of a user) during authentication. Only a Domain Controller
> > (DC) is able to calculate the access token as it as the required
> > permission to collect the information in the forest.
> > 
> > When Samba authenticates a user using winbindd. We either authenticate the
> > user using Kerberos or NTLM. We get the access token sent back upon
> > successful authentication and store it in a cache. All system calls like
> > getent are answered looking up the information from that cache.
> > 
> > On a new connection the openssh server checks if the connecting username
> > exists using getpwnam() it then stores the 'struct passwd' in the session
> > structure.
> > 
> > If the gets authenticated using PAM through pam_winbind we authencticate
> > the user against our DC, get correct access token and cache it. However
> > the openssh server doesn't update the passwd structure after a successful
> > PAM authentication, it sets up the user context (setuid, setgid,
> > initgroups) using the outdated information stored in the session
> > structure.
> > 
> > The openssh server should update the passwd structure using getpwuid()
> > before it sets up the users context (setuid, setgid, initgroups)!
> > 
> > This is probably easy to fix, the question is when you want to call
> > getpwuid() directly after a successful PAM conversation or before
> > dropping privileges?
> I don't want to support struct passwd fiddling via PAM - it makes the
> server considerably more difficult to reason about. I'm pretty sure
> the other developers feel the same way.

I don't really see why a getpwuid() would make it more complex. As it seems 
not clear what I mean, see attached patch.
 
> IMO a nis/nsswitch module is the right way to implement this sort of
> functionality.

We have a nss_winbind modules and it will provide correct user information 
after the user has been successfully authenticated. For that you need to read 
the user information after successful login.

I hope the patch makes it clear.


Best regards,


	Andreas

-- 
Andreas Schneider                 asn at cryptomilk.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-session-Update-the-passwd-structure-after-successful.patch
Type: text/x-patch
Size: 1362 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190212/12856a01/attachment.bin>

More information about the openssh-unix-dev mailing list