The Samba-Bugzilla – Attachment 168 Details for
Bug 406
no supplementary groups if winbind use default domain = True (ADS)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Test case on a production server running 3.0rc4.
ad406.txt (text/plain), 6.43 KB, created by
Lukasz Grochal
on 2003-09-28 17:48:50 UTC
(
hide
)
Description:
Test case on a production server running 3.0rc4.
Filename:
MIME Type:
Creator:
Lukasz Grochal
Created:
2003-09-28 17:48:50 UTC
Size:
6.43 KB
patch
obsolete
>From: lukie@berdyczow.org (£ukasz Grochal) >Subject: Problem (a bug?) with Samba 3.0 rcX on Debian Woody. >To: peloy@debian.org >Date: Mon, 22 Sep 2003 19:17:32 +0200 >X-Sent: 6 days, 7 hours, 27 minutes, 48 seconds ago >User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (gnu/linux) > >Hello, > >I've come across a problem with a certain configuration of Samba 3.0 >rcX (up to rc4) on woody (i386). Perhaps you could point out a mistake >I haven't noticed or confirm there is a bug in samba regarding secondary >group handling (perhaps an older glibc version issue or something)? > >I'm building samba as you described it, having all necessary libraries >backported (acl, attr and such) except that I use python 2.2 to spare >myself backporting python 2.3 to woody (I don't use samba's python >package, so I considered this won't hurt). The packages build fine >and both samba and winbindd run OK. The configuration uses a Windows >NT PDC with NT users and groups imported to linux box via winbindd. > >The configuration is: > >//----- nsswitch.conf >passwd: files winbind >group: files winbind >[... the rest is left default] >//----- > >//----- smb.conf - the winbind part: > winbind cache time = 10 > template shell = /bin/bash > template homedir = /home/%D/%U > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes >//----- > >... and the 'virtual' users are visible to the local system: > >dalet-fs:~# groups lukaszg >lukaszg : mediacom Domain Users RDS >dalet-fs:~# groups APCZ >APCZ : Domain Users mediacom RCS Selektor > >... and so on. > >The problem comes out, when I wan't to limit access to certain >shares based on user's supplementary group, like: > > valid users = @mediacom > >When the group is user's primary group, everything works fine. >(i.e. user lukaszg shown above with the primary NT group set >to mediacom can access the share). But when it's their secondary >group, the connection is refused with a message: > >dalet-fs:~# smbclient //fs/RDS -U lukaszg >Password: >tree connect failed: NT_STATUS_ACCESS_DENIED > >When I look at the appropriate smbd's /proc entry (after logging in, >to a share that allows it), it looks like only the primary group is >initialized for the user: > >dalet-fs:~# smbclient //fs/mediacom -U lukaszg >Password: >smb: \> >[2]+ Stopped smbclient //fs/mediacom -U lukaszg >dalet-fs:~# smbstatus >[...] >30355 lukaszg mediacom fs (192.168.47.38) >[...] >dalet-fs:~# cat /proc/30355/status >Name: smbd >State: S (sleeping) >[...] >Uid: 0 10017 0 10017 >Gid: 0 10006 10006 10006 >FDSize: 32 >Groups: 10006 10006 > >When I try to log into the other share (RDS being user's supplementary >group), the log says: > >[2003/09/22 19:09:13, 4, pid=30412] smbd/reply.c:reply_tcon_and_X(266) > Client requested device type [?????] for share [RDS] >[2003/09/22 19:09:13, 5, pid=30412] smbd/service.c:make_connection(860) > making a connection to 'normal' service rds >[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(504) > user_in_list: checking user lukaszg in list >[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |root| >[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(504) > user_in_list: checking user lukaszg in list >[2003/09/22 19:09:13, 10, pid=30412] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |@RDS| >[2003/09/22 19:09:13, 5, pid=30412] lib/username.c:user_in_netgroup_list(312) > looking for user lukaszg of domain krakow.rmf in netgroup RDS >[2003/09/22 19:09:13, 5, pid=30412] lib/username.c:user_in_netgroup_list(314) > innetgr is FALSE >[2003/09/22 19:09:14, 10, pid=30412] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |lgrochal| >[2003/09/22 19:09:14, 10, pid=30412] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |krzys| >[2003/09/22 19:09:14, 10, pid=30412] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |internet| >[2003/09/22 19:09:14, 2, pid=30412] smbd/service.c:make_connection_snum(384) > user 'lukaszg' (from session setup) not permitted to access this share (RDS) >[2003/09/22 19:09:14, 3, pid=30412] smbd/error.c:error_packet(94) > error string = No such file or directory >[2003/09/22 19:09:14, 3, pid=30412] smbd/error.c:error_packet(113) > error packet at smbd/reply.c(274) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED > >... or, with @RDS replaced by +RDS, which, in theory, should be sufficient: > >[2003/09/22 19:12:48, 4, pid=30436] smbd/reply.c:reply_tcon_and_X(266) > Client requested device type [?????] for share [RDS] >[2003/09/22 19:12:48, 5, pid=30436] smbd/service.c:make_connection(860) > making a connection to 'normal' service rds >[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(504) > user_in_list: checking user lukaszg in list >[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |root| >[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(504) > user_in_list: checking user lukaszg in list >[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |+RDS| >[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |lgrochal| >[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |krzys| >[2003/09/22 19:12:48, 10, pid=30436] lib/username.c:user_in_list(508) > user_in_list: checking user |lukaszg| against |internet| >[2003/09/22 19:12:48, 2, pid=30436] smbd/service.c:make_connection_snum(384) > user 'lukaszg' (from session setup) not permitted to access this share (RDS) >[2003/09/22 19:12:48, 3, pid=30436] smbd/error.c:error_packet(94) > error string = No such file or directory >[2003/09/22 19:12:48, 3, pid=30436] smbd/error.c:error_packet(113) > error packet at smbd/reply.c(274) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED > >Can you confirm, if this is a problem indeed, or just some misconfiguration >on my part? I'll greatly appreciate any help or suggestions. > >Regards, > >-- >£ukasz Grochal | Give an infinite number of monkeys typewriters >lukie [at] berdyczow.org | and they'll produce the works of Shakespeare. >PGP key, SSL cert etc. at | Unfortunately, I feel like I'm reading all the >http://www.berdyczow.org/ | books where they didn't. /internetisshit.org/
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=168">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 406
:
123
| 168 |
187