Samba 3.0.x seems to be unable to see more than 32 groups for any user in our W2K3 ActiveDirectory. I've verified up to 3.0.6rc2 up from about 3.0.1 or so. My cave-man like fix was to add a "return 500;" as the first line in the function groups_max() in "lib/system.c". For reference, our AD has about 410+ groups in it and we easily have users in 80-90 groups. Samba works fine for us after adding "return 500;" You can see the failure at log level 10 in "log.smbd"... I will post fragments of our logs with and without the "fix"
Names have been changed to protect our security dept's sanity: Please take care to especially look at the output of: auth/auth_util.c:debug_unix_user_token(505) BEFORE CHANGE: Finding user TEST_DOMAIN+johndoe [2004/07/07 12:43:10, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is TEST_DOMAIN+johndoe [2004/07/07 12:43:10, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [TEST_DOMAIN+johndoe]! [2004/07/07 12:43:10, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/07/07 12:43:10, 3] smbd/uid.c:push_conn_ctx(351) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/07/07 12:43:10, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/07/07 12:43:10, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/07/07 12:43:10, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/07/07 12:43:10, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=10001))], scope => [2] [2004/07/07 12:43:10, 2] lib/smbldap.c:smbldap_open_connection(639) smbldap_open_connection: connection opened [2004/07/07 12:43:10, 0] lib/smbldap.c:fetch_ldap_pw(260) fetch_ldap_pw: neither ldap secret retrieved! [2004/07/07 12:43:10, 0] lib/smbldap.c:smbldap_connect_system(760) ldap_connect_system: Failed to retrieve password from secrets.tdb [2004/07/07 12:43:10, 1] lib/smbldap.c:smbldap_retry_open(909) Connection to LDAP Server failed for the 1 try! [2004/07/07 12:43:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1763) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) ldapsam_search_one_group: Query was: , (&(objectClass=sambaGroupMapping)(gidNumber=10001)) [2004/07/07 12:43:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/07/07 12:43:10, 4] lib/substitute.c:automount_server(323) Home server: samba3x [2004/07/07 12:43:10, 4] lib/substitute.c:automount_server(323) Home server: samba3x [2004/07/07 12:43:10, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10752 Primary group is 10001 and contains 32 supplementary groups Group[ 0]: 10000 Group[ 1]: 10017 Group[ 2]: 10050 Group[ 3]: 10051 Group[ 4]: 10054 Group[ 5]: 10061 Group[ 6]: 10071 Group[ 7]: 10072 Group[ 8]: 10075 Group[ 9]: 10081 Group[ 10]: 10105 Group[ 11]: 10116 Group[ 12]: 10122 Group[ 13]: 10123 Group[ 14]: 10128 Group[ 15]: 10137 Group[ 16]: 10138 Group[ 17]: 10144 Group[ 18]: 10160 Group[ 19]: 10164 Group[ 20]: 10165 Group[ 21]: 10170 Group[ 22]: 10182 Group[ 23]: 10192 Group[ 24]: 10345 Group[ 25]: 10348 Group[ 26]: 10355 Group[ 27]: 10356 Group[ 28]: 10358 Group[ 29]: 10362 Group[ 30]: 10364 Group[ 31]: 10365 [2004/07/07 12:43:10, 3] smbd/password.c:register_vuid(222) User name: TEST_DOMAIN+johndoe Real name: john doe [2004/07/07 12:43:10, 3] smbd/password.c:register_vuid(241) ql UNIX uid 10752 is UNIX user TEST_DOMAIN+johndoe, and will be vuid 100 [2004/07/07 12:43:10, 3] smbd/password.c:register_vuid(265) Adding/updating homes service for user 'TEST_DOMAIN+johndoe' using home directory: '/home/johndoe' [2004/07/07 12:43:10, 3] param/loadparm.c:lp_add_home(2318) adding home's share [johndoe] for user 'TEST_DOMAIN+johndoe' at '' [2004/07/07 12:43:10, 3] smbd/process.c:process_smb(890) Transaction 2 of length 84 AFTER CHANGE: Finding user TEST_DOMAIN+johndoe [2004/07/26 11:24:00, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is TEST_DOMAIN+johndoe [2004/07/26 11:24:00, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [TEST_DOMAIN+johndoe]! [2004/07/26 11:24:00, 6] param/loadparm.c:lp_file_list_changed(2665) lp_file_list_changed() file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf last mod_time: Mon Jul 12 15:15:47 2004 [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_username(612) pdb_set_username: setting username TEST_DOMAIN+johndoe, was [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512) element 12 -> now SET [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_fullname(693) pdb_set_full_name: setting full name john doe, was [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512) element 13 -> now SET [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_unix_homedir(828) pdb_set_unix_homedir: setting home dir /home/johndoe, was NULL [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512) element 22 -> now SET [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_domain(639) pdb_set_domain: setting domain SAMBA3X, was [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_user_sid(539) pdb_set_user_sid: setting user sid S-1-5-21-2222222222-2222222222-2222222222-22222 [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512) element 18 -> now SET [2004/07/26 11:24:00, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-2222222222-2222222222-2222222222-22222 from rid 22504 [2004/07/26 11:24:00, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/07/26 11:24:00, 3] smbd/uid.c:push_conn_ctx(351) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/07/26 11:24:00, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/07/26 11:24:00, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/07/26 11:24:00, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/07/26 11:24:00, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=10001))], scope => [2] [2004/07/26 11:24:00, 10] lib/smbldap.c:smbldap_open_connection(543) smbldap_open_connection: ldap://localhost:389 [2004/07/26 11:24:00, 2] lib/smbldap.c:smbldap_open_connection(639) smbldap_open_connection: connection opened [2004/07/26 11:24:00, 0] lib/smbldap.c:fetch_ldap_pw(260) fetch_ldap_pw: neither ldap secret retrieved! [2004/07/26 11:24:00, 0] lib/smbldap.c:smbldap_connect_system(760) ldap_connect_system: Failed to retrieve password from secrets.tdb [2004/07/26 11:24:00, 1] lib/smbldap.c:smbldap_retry_open(909) Connection to LDAP Server failed for the 1 try! [2004/07/26 11:24:00, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1763) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) ldapsam_search_one_group: Query was: , (&(objectClass=sambaGroupMapping)(gidNumber=10001)) [2004/07/26 11:24:00, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_group_sid(575) pdb_set_group_sid: setting group sid S-1-5-21-3333333333-3333333333-3333333333-33333 [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512) element 19 -> now SET [2004/07/26 11:24:00, 10] passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100) pdb_set_group_sid_from_rid: setting group sid S-1-5-21-3333333333-3333333333-3333333333-33333 from rid 21003 [2004/07/26 11:24:00, 4] lib/substitute.c:automount_server(323) Home server: samba3x [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_profile_path(747) pdb_set_profile_path: setting profile path \\samba3x\TEST_DOMAIN+johndoe\profile, was [2004/07/26 11:24:00, 4] lib/substitute.c:automount_server(323) Home server: samba3x [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_homedir(801) pdb_set_homedir: setting home dir \\samba3x\TEST_DOMAIN+johndoe, was [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(774) pdb_set_dir_drive: setting dir drive , was NULL [2004/07/26 11:24:00, 10] passdb/pdb_get_set.c:pdb_set_logon_script(720) pdb_set_logon_script: setting logon script , was [2004/07/26 11:24:00, 10] auth/auth_util.c:get_user_groups(667) get_user_groups: winbind_getgroups(TEST_DOMAIN+johndoe): result = SUCCESS [2004/07/26 11:24:00, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10752 Primary group is 10001 and contains 48 supplementary groups Group[ 0]: 10000 Group[ 1]: 10001 Group[ 2]: 10012 Group[ 3]: 10017 Group[ 4]: 10048 Group[ 5]: 10050 Group[ 6]: 10051 Group[ 7]: 10054 Group[ 8]: 10061 Group[ 9]: 10062 Group[ 10]: 10071 Group[ 11]: 10072 Group[ 12]: 10075 Group[ 13]: 10081 Group[ 14]: 10105 Group[ 15]: 10116 Group[ 16]: 10119 Group[ 17]: 10122 Group[ 18]: 10123 Group[ 19]: 10124 Group[ 20]: 10126 Group[ 21]: 10128 Group[ 22]: 10137 Group[ 23]: 10138 Group[ 24]: 10144 Group[ 25]: 10145 Group[ 26]: 10160 Group[ 27]: 10164 Group[ 28]: 10165 Group[ 29]: 10168 Group[ 30]: 10170 Group[ 31]: 10172 Group[ 32]: 10173 Group[ 33]: 10181 Group[ 34]: 10182 Group[ 35]: 10187 Group[ 36]: 10192 Group[ 37]: 10338 Group[ 38]: 10344 Group[ 39]: 10345 Group[ 40]: 10348 Group[ 41]: 10355 Group[ 42]: 10356 Group[ 43]: 10358 Group[ 44]: 10362 Group[ 45]: 10364 Group[ 46]: 10365 Group[ 47]: 10366
Depending on your Unix there is no way around that problem. It's the Unix kernel that only allow 32 groups per user typically. Linux 2.6 has increased that, but all other Unixes AFAIK have a very low limit. Volker