[GE users] Troubles with Interix and AD

Beat Rubischon beat.rubischon at dalco.ch
Mon Jan 28 09:35:08 GMT 2008


Hi Harald!

Thanks for your input - I tried to verify the described behaviour:

Am 26.1.2008 22:31 Uhr schrieb "Harald Pollinger" unter
<Harald.Pollinger at Sun.COM>:

> You shouldn't be able to become a normal Domain user without providing a
> password.

> I'm not sure about it, but IIRC the local Administrator can use the
> security token of a Domain user if it is stored on the local host. This
> should be the case if the Domain user is logged in to the local host (or
> was logged in lately, because security tokens are cached on the local host).

Two test systems, one running W2k3/SUA, the other one XP/SFU, both members
of an AD domain. Both systems allows the local Administrator to become any
domain users - even they were logged in before (brubischon) or never logged
in at all (prubischon):

$ id
uid=197108(WINNODE01+Administrator) gid=197121(WINNODE01+None)
groups=197121(WINNODE01+None), 65792(+Everyone), 131616(+Administrators),
131617(+Users), 66820(+INTERACTIVE), 66827(+Authenticated Users),
66831(+This Organization), 4095(CurrentSession), 262154(NT AUTHORITY+NTLM
Authentication)
$ pdomain        
CORP

$ su brubischon
$ id
uid=1049823(brubischon) gid=1049089(Domain Users) groups=1049089(Domain
Users), 65792(+Everyone), 131617(+Users), 4095(CurrentSession),
66048(+LOCAL), 66820(+INTERACTIVE), 66827(+Authenticated Users)
$ ^D

$ su prubischon
$ id
uid=1049928(prubischon) gid=1049089(Domain Users) groups=1049089(Domain
Users), 65792(+Everyone), 131617(+Users), 4095(CurrentSession),
66048(+LOCAL), 66820(+INTERACTIVE), 66827(+Authenticated Users)
$ ^D

Of course I don't have access to any network ressources, which is OK for the
current application.

I checked libs/uti/sge_uidgid.c and it looks like "UNIX alike" setuid() is
only used in case of windomacc=false. When providing a sgepasswd file the
function wl_setuser() is used.

In case I don't find the magic key in the Active Directory, I'll implement
sgepasswd even I don't need access to any network ressources during the job
run.

Beat

-- 
Beat Rubischon <beat.rubischon at dalco.ch>
DALCO AG, Industriestrasse 28, 8604 Volketswil


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list