From: lukie@berdyczow.org (Łukasz Grochal)
Subject: Problem (a bug?) with Samba 3.0 rcX on Debian Woody.
To: peloy@debian.org
Date: Mon, 22 Sep 2003 19:17:32 +0200
X-Sent: 6 days, 7 hours, 27 minutes, 48 seconds ago
User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (gnu/linux)

Hello,

I've come across a problem with a certain configuration of Samba 3.0
rcX (up to rc4) on woody (i386). Perhaps you could point out a mistake
I haven't noticed or confirm there is a bug in samba regarding secondary
group handling (perhaps an older glibc version issue or something)?

I'm building samba as you described it, having all necessary libraries
backported (acl, attr and such) except that I use python 2.2 to spare
myself backporting python 2.3 to woody (I don't use samba's python
package, so I considered this won't hurt). The packages build fine
and both samba and winbindd run OK. The configuration uses a Windows
NT PDC with NT users and groups imported to linux box via winbindd.

The configuration is:

//----- nsswitch.conf
passwd:         files winbind
group:          files winbind
[... the rest is left default]
//-----

//----- smb.conf - the winbind part:
   winbind cache time = 10
   template shell = /bin/bash
   template homedir = /home/%D/%U
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
//-----

... and the 'virtual' users are visible to the local system:

dalet-fs:~# groups lukaszg
lukaszg : mediacom Domain Users RDS
dalet-fs:~# groups APCZ
APCZ : Domain Users mediacom RCS Selektor

... and so on.

The problem comes out, when I wan't to limit access to certain
shares based on user's supplementary group, like:

   valid users = @mediacom

When the group is user's primary group, everything works fine.
(i.e. user lukaszg shown above with the primary NT group set
to mediacom can access the share). But when it's their secondary
group, the connection is refused with a message:

dalet-fs:~# smbclient //fs/RDS -U lukaszg
Password: 
tree connect failed: NT_STATUS_ACCESS_DENIED

When I look at the appropriate smbd's /proc entry (after logging in,
to a share that allows it), it looks like only the primary group is
initialized for the user:

dalet-fs:~# smbclient //fs/mediacom -U lukaszg
Password: 
smb: \> 
[2]+  Stopped                 smbclient //fs/mediacom -U lukaszg
dalet-fs:~# smbstatus 
[...]
30355   lukaszg       mediacom      fs           (192.168.47.38)
[...]
dalet-fs:~# cat /proc/30355/status 
Name:   smbd
State:  S (sleeping)
[...]
Uid:    0       10017   0       10017
Gid:    0       10006   10006   10006
FDSize: 32
Groups: 10006 10006 

When I try to log into the other share (RDS being user's supplementary
group), the log says:

[2003/09/22 19:09:13, 4, pid=30412] smbd/reply.c:reply_tcon_and_X(266)
  Client requested device type [?????] for share [RDS]
[2003/09/22 19:09:13, 5, pid=30412] smbd/service.c:make_connection(860)
  making a connection to 'normal' service rds
[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(504)
  user_in_list: checking user lukaszg in list
[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |root|
[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(504)
  user_in_list: checking user lukaszg in list
[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |@RDS|
[2003/09/22 19:09:13, 5, pid=30412] lib/username.c:user_in_netgroup_list(312)
  looking for user lukaszg of domain krakow.rmf in netgroup RDS
[2003/09/22 19:09:13, 5, pid=30412] lib/username.c:user_in_netgroup_list(314)
  innetgr is FALSE
[2003/09/22 19:09:14, 10, pid=30412] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |lgrochal|
[2003/09/22 19:09:14, 10, pid=30412] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |krzys|
[2003/09/22 19:09:14, 10, pid=30412] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |internet|
[2003/09/22 19:09:14, 2, pid=30412] smbd/service.c:make_connection_snum(384)
  user 'lukaszg' (from session setup) not permitted to access this share (RDS)
[2003/09/22 19:09:14, 3, pid=30412] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2003/09/22 19:09:14, 3, pid=30412] smbd/error.c:error_packet(113)
  error packet at smbd/reply.c(274) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

... or, with @RDS replaced by +RDS, which, in theory, should be sufficient:

[2003/09/22 19:12:48, 4, pid=30436] smbd/reply.c:reply_tcon_and_X(266)
  Client requested device type [?????] for share [RDS]
[2003/09/22 19:12:48, 5, pid=30436] smbd/service.c:make_connection(860)
  making a connection to 'normal' service rds
[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(504)
  user_in_list: checking user lukaszg in list
[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |root|
[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(504)
  user_in_list: checking user lukaszg in list
[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |+RDS|
[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |lgrochal|
[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |krzys|
[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508)
  user_in_list: checking user |lukaszg| against |internet|
[2003/09/22 19:12:48, 2, pid=30436] smbd/service.c:make_connection_snum(384)
  user 'lukaszg' (from session setup) not permitted to access this share (RDS)
[2003/09/22 19:12:48, 3, pid=30436] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2003/09/22 19:12:48, 3, pid=30436] smbd/error.c:error_packet(113)
  error packet at smbd/reply.c(274) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Can you confirm, if this is a problem indeed, or just some misconfiguration
on my part? I'll greatly appreciate any help or suggestions.

Regards,

-- 
Łukasz Grochal            | Give an infinite number of monkeys typewriters
lukie [at] berdyczow.org  | and they'll produce  the works of Shakespeare.
PGP key, SSL cert etc. at | Unfortunately, I feel like I'm reading all the
http://www.berdyczow.org/ | books where they didn't.  /internetisshit.org/