Bug 1636 - not enough groups for an AD user.
not enough groups for an AD user.
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.6
All All
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-20 06:55 UTC by greg lim
Modified: 2004-08-20 12:26 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description greg lim 2004-08-20 06:55:41 UTC
Samba 3.0.x seems to be unable to see more than 32 groups for any user
in our W2K3 ActiveDirectory. I've verified up to 3.0.6rc2 up from about 3.0.1
or so. My cave-man like fix was to add a "return 500;" as the first line in the
function groups_max() in "lib/system.c". For reference, our AD has about 410+
groups in it and we easily have users in 80-90 groups. Samba works fine for 
us after adding "return 500;" You can see the failure at log level 10 in
"log.smbd"... I will post fragments of our logs with and without the "fix"
Comment 1 greg lim 2004-08-20 10:08:16 UTC
Names have been changed to protect our security dept's sanity:
Please take care to especially look at the output of:
auth/auth_util.c:debug_unix_user_token(505)

BEFORE CHANGE:
  Finding user TEST_DOMAIN+johndoe
[2004/07/07 12:43:10, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is TEST_DOMAIN+johndoe
[2004/07/07 12:43:10, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [TEST_DOMAIN+johndoe]!
[2004/07/07 12:43:10, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/07/07 12:43:10, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/07/07 12:43:10, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/07/07 12:43:10, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/07/07 12:43:10, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/07/07 12:43:10, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [], filter =>
[(&(objectClass=sambaGroupMapping)(gidNumber=10001))], scope => [2]
[2004/07/07 12:43:10, 2] lib/smbldap.c:smbldap_open_connection(639)
  smbldap_open_connection: connection opened
[2004/07/07 12:43:10, 0] lib/smbldap.c:fetch_ldap_pw(260)
  fetch_ldap_pw: neither ldap secret retrieved!
[2004/07/07 12:43:10, 0] lib/smbldap.c:smbldap_connect_system(760)
  ldap_connect_system: Failed to retrieve password from secrets.tdb
[2004/07/07 12:43:10, 1] lib/smbldap.c:smbldap_retry_open(909)
  Connection to LDAP Server failed for the 1 try!
[2004/07/07 12:43:10, 0]
passdb/pdb_ldap.c:ldapsam_search_one_group(1763)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(unknown) (Invalid credentials)
  ldapsam_search_one_group: Query was: ,
(&(objectClass=sambaGroupMapping)(gidNumber=10001))
[2004/07/07 12:43:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/07/07 12:43:10, 4] lib/substitute.c:automount_server(323)
  Home server: samba3x
[2004/07/07 12:43:10, 4] lib/substitute.c:automount_server(323)
  Home server: samba3x
[2004/07/07 12:43:10, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 10752
  Primary group is 10001 and contains 32 supplementary groups
  Group[  0]: 10000
  Group[  1]: 10017
  Group[  2]: 10050
  Group[  3]: 10051
  Group[  4]: 10054
  Group[  5]: 10061
  Group[  6]: 10071
  Group[  7]: 10072
  Group[  8]: 10075
  Group[  9]: 10081
  Group[ 10]: 10105
  Group[ 11]: 10116
  Group[ 12]: 10122
  Group[ 13]: 10123
  Group[ 14]: 10128
  Group[ 15]: 10137
  Group[ 16]: 10138
  Group[ 17]: 10144
  Group[ 18]: 10160
  Group[ 19]: 10164
  Group[ 20]: 10165
  Group[ 21]: 10170
  Group[ 22]: 10182
  Group[ 23]: 10192
  Group[ 24]: 10345
  Group[ 25]: 10348
  Group[ 26]: 10355
  Group[ 27]: 10356
  Group[ 28]: 10358
  Group[ 29]: 10362
  Group[ 30]: 10364
  Group[ 31]: 10365
[2004/07/07 12:43:10, 3] smbd/password.c:register_vuid(222)
  User name: TEST_DOMAIN+johndoe    Real name: john doe 
[2004/07/07 12:43:10, 3] smbd/password.c:register_vuid(241)
ql  UNIX uid 10752 is UNIX user TEST_DOMAIN+johndoe, and will be vuid
100
[2004/07/07 12:43:10, 3] smbd/password.c:register_vuid(265)
  Adding/updating homes service for user 'TEST_DOMAIN+johndoe' using
home directory: '/home/johndoe'
[2004/07/07 12:43:10, 3] param/loadparm.c:lp_add_home(2318)
  adding home's share [johndoe] for user 'TEST_DOMAIN+johndoe' at ''
[2004/07/07 12:43:10, 3] smbd/process.c:process_smb(890)
  Transaction 2 of length 84



AFTER CHANGE:

  Finding user TEST_DOMAIN+johndoe
[2004/07/26 11:24:00, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is TEST_DOMAIN+johndoe
[2004/07/26 11:24:00, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [TEST_DOMAIN+johndoe]!
[2004/07/26 11:24:00, 6] param/loadparm.c:lp_file_list_changed(2665)
  lp_file_list_changed()
  file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf
last mod_time: Mon Jul 12 15:15:47 2004

[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_username(612)
  pdb_set_username: setting username TEST_DOMAIN+johndoe, was
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512)
  element 12 -> now SET
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_fullname(693)
  pdb_set_full_name: setting full name john doe, was
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512)
  element 13 -> now SET
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_unix_homedir(828)
  pdb_set_unix_homedir: setting home dir /home/johndoe, was NULL
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512)
  element 22 -> now SET
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_domain(639)
  pdb_set_domain: setting domain SAMBA3X, was
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_user_sid(539)
  pdb_set_user_sid: setting user sid
S-1-5-21-2222222222-2222222222-2222222222-22222
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512)
  element 18 -> now SET
[2004/07/26 11:24:00, 10]
passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
  pdb_set_user_sid_from_rid:
        setting user sid S-1-5-21-2222222222-2222222222-2222222222-22222
from rid 22504
[2004/07/26 11:24:00, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/07/26 11:24:00, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/07/26 11:24:00, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/07/26 11:24:00, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/07/26 11:24:00, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/07/26 11:24:00, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [], filter =>
[(&(objectClass=sambaGroupMapping)(gidNumber=10001))], scope => [2]
[2004/07/26 11:24:00, 10] lib/smbldap.c:smbldap_open_connection(543)
  smbldap_open_connection: ldap://localhost:389
[2004/07/26 11:24:00, 2] lib/smbldap.c:smbldap_open_connection(639)
  smbldap_open_connection: connection opened
[2004/07/26 11:24:00, 0] lib/smbldap.c:fetch_ldap_pw(260)
  fetch_ldap_pw: neither ldap secret retrieved!
[2004/07/26 11:24:00, 0] lib/smbldap.c:smbldap_connect_system(760)
  ldap_connect_system: Failed to retrieve password from secrets.tdb
[2004/07/26 11:24:00, 1] lib/smbldap.c:smbldap_retry_open(909)
  Connection to LDAP Server failed for the 1 try!
[2004/07/26 11:24:00, 0]
passdb/pdb_ldap.c:ldapsam_search_one_group(1763)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(unknown) (Invalid credentials)
  ldapsam_search_one_group: Query was: ,
(&(objectClass=sambaGroupMapping)(gidNumber=10001))
[2004/07/26 11:24:00, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_group_sid(575)
  pdb_set_group_sid: setting group sid
S-1-5-21-3333333333-3333333333-3333333333-33333
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512)
  element 19 -> now SET
[2004/07/26 11:24:00, 10]
passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100)
  pdb_set_group_sid_from_rid:
        setting group sid
S-1-5-21-3333333333-3333333333-3333333333-33333 from rid 21003
[2004/07/26 11:24:00, 4] lib/substitute.c:automount_server(323)
  Home server: samba3x
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_profile_path(747)
  pdb_set_profile_path: setting profile path
\\samba3x\TEST_DOMAIN+johndoe\profile, was
[2004/07/26 11:24:00, 4] lib/substitute.c:automount_server(323)
  Home server: samba3x
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_homedir(801)
  pdb_set_homedir: setting home dir \\samba3x\TEST_DOMAIN+johndoe, was
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(774)
  pdb_set_dir_drive: setting dir drive , was NULL
[2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_logon_script(720)
  pdb_set_logon_script: setting logon script , was
[2004/07/26 11:24:00, 10] auth/auth_util.c:get_user_groups(667)
  get_user_groups: winbind_getgroups(TEST_DOMAIN+johndoe): result =
SUCCESS
[2004/07/26 11:24:00, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 10752
  Primary group is 10001 and contains 48 supplementary groups
  Group[  0]: 10000
  Group[  1]: 10001
  Group[  2]: 10012
  Group[  3]: 10017
  Group[  4]: 10048
  Group[  5]: 10050
  Group[  6]: 10051
  Group[  7]: 10054
  Group[  8]: 10061
  Group[  9]: 10062
  Group[ 10]: 10071
  Group[ 11]: 10072
  Group[ 12]: 10075
  Group[ 13]: 10081
  Group[ 14]: 10105
  Group[ 15]: 10116
  Group[ 16]: 10119
  Group[ 17]: 10122
  Group[ 18]: 10123
  Group[ 19]: 10124
  Group[ 20]: 10126
  Group[ 21]: 10128
  Group[ 22]: 10137
  Group[ 23]: 10138
  Group[ 24]: 10144
  Group[ 25]: 10145
  Group[ 26]: 10160
  Group[ 27]: 10164
  Group[ 28]: 10165
  Group[ 29]: 10168
  Group[ 30]: 10170
  Group[ 31]: 10172
  Group[ 32]: 10173
  Group[ 33]: 10181
  Group[ 34]: 10182
  Group[ 35]: 10187
  Group[ 36]: 10192
  Group[ 37]: 10338
  Group[ 38]: 10344
  Group[ 39]: 10345
  Group[ 40]: 10348
  Group[ 41]: 10355
  Group[ 42]: 10356
  Group[ 43]: 10358
  Group[ 44]: 10362
  Group[ 45]: 10364
  Group[ 46]: 10365
  Group[ 47]: 10366
Comment 2 Volker Lendecke 2004-08-20 12:26:08 UTC
Depending on your Unix there is no way around that problem. It's the Unix kernel
that only allow 32 groups per user typically. Linux 2.6 has increased that, but
all other Unixes AFAIK have a very low limit.

Volker