sshd and pam_winbind (Samba)

Damien Miller djm at mindrot.org
Tue Feb 12 10:06:06 AEDT 2019 

On Mon, 11 Feb 2019, Andreas Schneider wrote:

> Hello openssh developers,
> 
> long time no see :-)
> 
> there is a bug in sshd with *nix machines joined to Active Directory using 
> Samba's winbind daemon.
> 
> The problem is that with cold caches, a user logging in via ssh gets possibly 
> the wrong primary gid assigned. Let me try to explain in detail:
> 
> In Active Directory (AD) you only get a correct access token (group 
> memberships of a user) during authentication. Only a Domain Controller (DC) is 
> able to calculate the access token as it as the required permission to collect 
> the information in the forest.
> 
> When Samba authenticates a user using winbindd. We either authenticate the 
> user using Kerberos or NTLM. We get the access token sent back upon successful 
> authentication and store it in a cache. All system calls like getent are 
> answered looking up the information from that cache.
> 
> On a new connection the openssh server checks if the connecting username 
> exists using getpwnam() it then stores the 'struct passwd' in the session 
> structure.
> 
> If the gets authenticated using PAM through pam_winbind we authencticate the 
> user against our DC, get correct access token and cache it. However the 
> openssh server doesn't update the passwd structure after a successful PAM 
> authentication, it sets up the user context (setuid, setgid, initgroups) using 
> the outdated information stored in the session structure.
> 
> The openssh server should update the passwd structure using getpwuid() before 
> it sets up the users context (setuid, setgid, initgroups)!
> 
> This is probably easy to fix, the question is when you want to call getpwuid() 
> directly after a successful PAM conversation or before dropping privileges?

I don't want to support struct passwd fiddling via PAM - it makes the
server considerably more difficult to reason about. I'm pretty sure
the other developers feel the same way.

IMO a nis/nsswitch module is the right way to implement this sort of
functionality.

-d

More information about the openssh-unix-dev mailing list