Discovered by Andreas (asn@samba.org) and myself. NT Tokens created from an info3 struct (either via a krb5 PAC or an info3 struct from the DC) do not get local groups from /etc/group added to their internal tokens in smbd. Consider the following case. Remote user DOMAIN+administrator, and a local group added in /etc/group. ntadmins:x:1001:DOMAIN+administrator,root If there is no local mapping for group ntadmins, then when DOMAIN+administrator logs in the token created inside smbd will not include the UNIX group SID S-1-22-2-1001. If ntadmins is then used in an ACL or share restriction then the user will get ACCESS_DENIED when accessing that resource. Patch to follow.
Created attachment 9797 [details] git-am patch that went into master. Cherry-pick of 6034ab521c47fc5f4732398652c9c6847ff92035 applies cleanly to 4.1.next and 4.0.next. Jeremy.
Comment on attachment 9797 [details] git-am patch that went into master. LGTM
Karolin, please add the patch to v4-0-test and v4-1-test. Thanks!
Actually Karolin, can you hold off until I've discussed the follow-up patch with Andrew Bartlett ? This patch, although correct for smbd file serving, can cause the samba AD binary to fail to start smbd correctly under some circumstances (reported by Kukks on the samba-technical mailing list). I have a follow-up patch that fixes this issue, but it does need a second positive Team review (which I'm hoping to get today). Jeremy.
Created attachment 9799 [details] Patch made from merged commit. Ok, here is a (raw patch, non-git-am) version of the two commits I think we need merged into one patch to make it clearer. Once I've got the second commit into master I'll post this as a git-am fix for 4.1.next and 4.0.next. Jeremy.
Created attachment 9800 [details] Fixed patch - no compiles :-). In master, guest account is lp_guest_account(). In 4.1.x and below it's lp_guestaccount().
Created attachment 9801 [details] Back-ported git-am fix for 4.1.next, 4.0.next OK, here is a squashed backport of master fixes 6034ab521c47fc5f4732398652c9c6847ff92035 and a9fa09723bee3588db2168ac13f7ad0334452c11 that applies cleanly to 4.0.next and 4.1.next. Andreas, please review this one (should be clearer in what it's doing than the earlier fix you reviewed). Cheers, Jeremy.
Comment on attachment 9801 [details] Back-ported git-am fix for 4.1.next, 4.0.next LGTM
Karolin, please add it to 4.1 and 4.0. Thanks!
Ping. Want to make sure this one gets in for 4.0.17. Cheers, Jeremy.
(In reply to comment #10) > Ping. Want to make sure this one gets in for 4.0.17. > > Cheers, > > Jeremy. Pushed to autobuild.v4-1-test and autobuild-v4-0-test.
(In reply to comment #11) > (In reply to comment #10) > > Ping. Want to make sure this one gets in for 4.0.17. > > > > Cheers, > > > > Jeremy. > > Pushed to autobuild.v4-1-test and autobuild-v4-0-test. Pushed to v4-1-test, autobuild-v4-0-test failed, re-trying...
Pushed to v4-0-test. Closing out bug report. Thanks!