Situation: -- samba ads configuration samba 3.0.2a on debian 3.0 woody net ads join worked, kinit works, windows clients can connect to the server using the kerberos login. Now the case: when logging in with user+pass the smbd daemon is member of the correct groups when doing this with a kerberos ticket the smbd daemon isn't. # smbclient //fileserver/export -U username Password: **** /proc/8870/status shows the following, notice the Groups entry User+Password login: -------------------- Name: smbd State: S (sleeping) Tgid: 8870 Pid: 8870 PPid: 8525 TracerPid: 0 Uid: 10026 10026 0 10026 Gid: 0 10000 0 10000 FDSize: 32 Groups: 10000 10015 10014 10003 VmSize: 7672 kB VmLck: 0 kB VmRSS: 3332 kB VmData: 1920 kB VmStk: 20 kB VmExe: 2136 kB VmLib: 3224 kB SigPnd: 0000000000000000 SigBlk: 0000000000001880 SigIgn: 8000000000001000 SigCgt: 0000000000014661 CapInh: 0000000000000000 CapPrm: 00000000fffffeff CapEff: 0000000000000000 Now using a kerberos ticket (after a kinit): # smbclient //fileservertest/export -U username -k and this also works: # smbclient //fileservertest/export -k Kerberos login (file: /proc/8851/status): --------------- Name: smbd State: S (sleeping) Tgid: 8851 Pid: 8851 PPid: 8525 TracerPid: 0 Uid: 10026 10026 0 10026 Gid: 0 10000 10000 10000 FDSize: 32 Groups: 10000 10000 VmSize: 7672 kB VmLck: 0 kB VmRSS: 3528 kB VmData: 1920 kB VmStk: 20 kB VmExe: 2136 kB VmLib: 3224 kB SigPnd: 0000000000000000 SigBlk: 0000000000001880 SigIgn: 8000000000003000 SigCgt: 0000000000014661 CapInh: 0000000000000000 CapPrm: 00000000fffffeff CapEff: 0000000000000000 Groups: 10000 10000 -> thats NOT okay What is happening here?? id username returns the correct groups, so winbind works. but smbd doesnt seem to find the correct groups when logging in with a correct kerberos ticket. Is group membership also a part of the kerberos ticket? (I dont know if this is a samba bug or an incorrect windows dc config) Please help, its driving me nuts!
Found this out: the user in the supplied example is a domain user w/ debugging at 10: logfile entry: sys_getgrouplist(): disabled winbindd for group lookup [user == username] I do not think this is supposed to happen in this case, my smb.conf: [global] workgroup = ECHEM realm = ECHEM.COM netbios name = FILESERVERTEST security = ADS syslog = 1 log file = /var/log/samba/log.%m printcap name = cups os level = 10 preferred master = No local master = No domain master = No idmap uid = 10000-60000 idmap gid = 10000-60000 template homedir = /cluster/homes/homedirs/%U winbind separator = % winbind use default domain = yes winbind enum users = yes winbind enum groups = yes printing = cups printer admin = MasterChief, @"Domain Admins" log level = 10 encrypt passwords = true [export] comment = Export share path = /cluster/data/export admin users = @"Domain Admins" read only = No create mask = 0660 directory mask = 2770
winbind separator = % is supposed to be winbind separator = + (pasted from the wrong window :-/ )
changing the winbind seperator doesnt make any difference, samba still thinks kerberos login users belong to the system and winbind lookups should not be done.
lib/system_smbd.c line 116: if ( (p = strchr(user, *lp_winbind_separator())) == NULL ) { Something goes wrong here, it seems user isnt formatted like "username+DOM.COM", thats why winbind is not being used for group lookups. Maybe something is not going well in the kerberos ticket parsing code (which fills the 'user' variable, but i'm not a coder so i'll leave the bugfixing to you :)
Please send me a level 10 debug log of the Samba server. I can't reproduce this locally. Thanks.
Created attachment 431 [details] log level 10 debug output of a smbclient -k login gzipped Here is the debug output. Thanks for taking a look at it. btw, I've disabled the mentioned check in the source, recompiled the debian packages and tried it on our testserver. It works for me, but thats not good enough ;).
I really need the server side log, not the client.
Dear Jerry, I got the attached gzipped file from /var/log/samba/log.fileserver, and the contents is the smbd logging from a smbclient -k login sequence for your convienence. So this is the server log, if it isnt i have no idea how smbclient called from a non-root enviroment can write to /var/log/samba/log.fileserver. :)
Sorry. I misread comment #6. It's another bug in 'winbind use default domain' Disable that option and see if things work ok. I'll keep looking into this today.
Created attachment 433 [details] patch to fix fill_domain_username() Here's a patch to make winbindd fill in the passwd struct correctly even when 'winbind use default domain = yes'
I'm do not have access to the machine now, but i recall that i've tried to disable the winbind default domain option (by commenting it out and by setting it to no). I can't recall that it worked but i can be wrong, i'll patch the server when i get access again and report back to you. ( i have no idea when that will be, sorry )
no problem. Since I've reproduced this locally and the patch does correct it, I'm marking this as fixed. If you find otherwise, please reopen it. Thanks.
reworking patch. Reopening so I don't forget about it.
*** Bug 1126 has been marked as a duplicate of this bug. ***
adding CC from bug 1126
Comment on attachment 433 [details] patch to fix fill_domain_username() >Index: nsswitch/winbindd_util.c >=================================================================== >RCS file: /data/cvs/samba/source/nsswitch/winbindd_util.c,v >retrieving revision 1.73.2.47 >diff -u -r1.73.2.47 winbindd_util.c >--- nsswitch/winbindd_util.c 10 Feb 2004 03:51:19 -0000 1.73.2.47 >+++ nsswitch/winbindd_util.c 11 Mar 2004 14:20:23 -0000 >@@ -568,13 +568,17 @@ > */ > void fill_domain_username(fstring name, const char *domain, const char *user) > { >+# if 0 /* JERRY - break secondary groups */ > if (assume_domain(domain)) { > strlcpy(name, user, sizeof(fstring)); > } else { >+#endif /* JERRY */ > slprintf(name, sizeof(fstring) - 1, "%s%s%s", > domain, lp_winbind_separator(), > user); >+#if 0 /* JERRY */ > } >+#endif /* JERRY */ > } > > /*
Created attachment 441 [details] new patch to fix issues with winbindd use default domain = yes and secondary groups
This is the patch that will go into CVS. Works locally so I'm marking this as fixed. Please reopen this bug if doesn't clear things up for you.
Created attachment 442 [details] new version of patch -- fixed pointer problem New version of patch. I uploaded the wrong diff previously.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.