sshd/winbind wrong GID redux

Jakub Jelen jjelen at redhat.com
Wed May 27 17:27:08 AEST 2020 

On Tue, 2020-05-26 at 17:11 +0200, Hans Petter Jansson wrote:
> Hi, I'm in the position of having to support a fix for a bad
> interaction between sshd and winbind/Active Directory. It's solved by
> a
> small patch against openssh, but it would be nice to have the
> solution
> generally available.
> 
> The problem has previously been described on this list by Andreas
> Schneider, see:
> 
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-February/037556.html
> 
> That's the last mention of this I could find in the archives. Was a
> final decision reached on whether that patch (or something similar)
> would be accepted?

Did you try that patch and it solved the issue for you? We tried and we
were not able to verify it fixes the described issue.

Moreover this original patch is broken in systems where two users have
same UID.

I tried to tweak it a bit (see the attached patch) to avoid these
issues, but still we were not able to verify it fixes the described
issue so we do not ship it.

I did not look into this much, but if I am right, the group information
is cached in uidswap.c too so it might need some more work to be
working. Whether it will be accepted here, is other question.

Hope it helps,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.
-------------- next part --------------
commit 3899be76a3fdbf366ee7143ce38f53a1546b65ae
Author: Jakub Jelen <jjelen at redhat.com>
Date:   Fri May 31 13:24:34 2019 +0200

    Update cached pw structure after successful authetnication through PAM

diff --git a/session.c b/session.c
index f2c3abde..e25f1e82 100644
--- a/session.c
+++ b/session.c
@@ -1515,9 +1515,21 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 	extern char **environ;
 	char **env, *argv[ARGV_MAX], remote_id[512];
 	const char *shell, *shell0;
-	struct passwd *pw = s->pw;
+	struct passwd *pw = NULL;
 	int r = 0;
 
+	/* Update the users passwd structure after successful login */
+	pw = pwcopy(getpwnam(s->pw->pw_name));
+	if (pw != NULL) {
+		s->pw = pw;
+		/* Fix also the original location where we copied
+		 * the pw structure from, to be sure. */
+		free(s->authctxt->pw);
+		s->authctxt->pw = pw;
+	} else {
+		pw = s->pw;
+	}
+
 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));

More information about the openssh-unix-dev mailing list