Bug 1933 - Incorrect group membership reported for 'root'
Summary: Incorrect group membership reported for 'root'
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.7
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-14 07:27 UTC by Misty Stanley-Jones
Modified: 2005-01-10 07:25 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Misty Stanley-Jones 2004-10-14 07:27:43 UTC 
I'm running Samba 3.0.7 with LDAP backend.  I've got several custom groups: 
 
oink:~ # net groupmap list 
acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin 
truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss 
hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr 
furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture 
dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch 
Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain Admins 
Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> Domain Users 
Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) -> Domain Guests 
Print Operators (S-1-5-32-550) -> Print Operators 
Backup Operators (S-1-5-32-551) -> Backup Operators 
Replicators (S-1-5-32-552) -> Replicators 
Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -> Workgroup 
Computers 
Administrators (S-1-5-32-544) -> Administrators 
acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct 
receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> receptionist 
engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr 
 
If I run "net rpc group members <groupname>" on some groups, I get a different 
(incorrect) result when I run as root, but I get the correct result if I run as 
another user.  The interesting thing is, if root has been a member in the past 
but was taken out, I get incorrect results like the first two below.  If root 
has never been a member, I get correct results like the third item below. 
 
oink:~ # net rpc group members engr 
Password: 
CORP1\root 
oink:~ # net rpc group members acct 
Password: 
CORP1\root 
oink:~ # net rpc group members hr 
Password: 
CORP1\cheri 
CORP1\carl 
 
If I run the same commands as a non-privileged user, I get correct results all 
the way around: 
misty@oink:~> net rpc group members engr 
Password: 
CORP1\pat 
CORP1\chuck 
CORP1\jeremy 
CORP1\jerry 
CORP1\paul 
CORP1\roger 
CORP1\todd 
misty@oink:~> net rpc group members acct 
Password: 
CORP1\brandon 
CORP1\carl 
CORP1\lorene 
CORP1\angie 
CORP1\chad 
CORP1\cheri 
misty@oink:~> net rpc group members hr 
Password: 
CORP1\cheri 
CORP1\carl 
 
Here is some further data: 
misty@oink:~> net rpc user info root 
Password: 
Domain Admins 
Domain Users 
 
oink:~ # smbldap-usershow root 
dn: cn=root,ou=people,dc=borkholder,dc=com 
objectClass: account,posixAccount,top,sambaSamAccount 
cn: root 
uid: root 
uidNumber: 0 
gidNumber: 0 
loginShell: /bin/bash 
homeDirectory: /root 
displayName: root 
sambaPwdCanChange: 1095966471 
sambaPwdMustChange: 2147483647 
sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE 
sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678 
sambaPasswordHistory: 
0000000000000000000000000000000000000000000000000000000000000000 
sambaPwdLastSet: 1095966471 
sambaAcctFlags: [U          ] 
userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2 
sambaSID: S-1-5-21-725326080-1709766072-2910717368-500 
sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512 
oink:~ # smbldap-groupshow engr 
dn: cn=engr,ou=groups,dc=borkholder,dc=com 
cn: engr 
gidNumber: 1001 
displayName: engr 
sambaGroupType: 2 
objectClass: top,posixGroup,sambaGroupMapping 
sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001 
memberUid: pat,chuck,jeremy,jerry,paul,roger,todd 
 
This would not be a major issue I guess, except that I have logon scripts that 
are based on group membership.  These logon scripts get run correctly for 
everyone but root.
Comment 1 Misty Stanley-Jones 2004-10-15 09:13:03 UTC 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_KEEPALIVE = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_REUSEADDR = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_BROADCAST = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option TCP_NODELAY = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option IPTOS_LOWDELAY = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option IPTOS_THROUGHPUT = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_SNDBUF = 16384 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_RCVBUF = 16384 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_SNDLOWAT = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_RCVLOWAT = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_SNDTIMEO = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_RCVTIMEO = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_KEEPALIVE = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_REUSEADDR = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_BROADCAST = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option TCP_NODELAY = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option IPTOS_LOWDELAY = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option IPTOS_THROUGHPUT = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_SNDBUF = 16384 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_RCVBUF = 16384 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_SNDLOWAT = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_RCVLOWAT = 1 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_SNDTIMEO = 0 
[2004/10/15 11:11:09, 5] lib/util_sock.c:print_socket_options(147) 
  socket option SO_RCVTIMEO = 0 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:make_pdb_context_list(763) 
  Trying to load: ldapsam:ldap://localhost 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(93) 
  Attempting to register passdb backend ldapsam 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(106) 
  Successfully added passdb backend 'ldapsam' 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(93) 
  Attempting to register passdb backend ldapsam_compat 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(106) 
  Successfully added passdb backend 'ldapsam_compat' 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(93) 
  Attempting to register passdb backend smbpasswd 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(106) 
  Successfully added passdb backend 'smbpasswd' 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(93) 
  Attempting to register passdb backend tdbsam 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(106) 
  Successfully added passdb backend 'tdbsam' 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(93) 
  Attempting to register passdb backend guest 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:smb_register_passdb(106) 
  Successfully added passdb backend 'guest' 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:make_pdb_methods_name(648) 
  Attempting to find an passdb backend to match ldapsam:ldap://localhost 
(ldapsam) 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:make_pdb_methods_name(669) 
  Found pdb backend ldapsam 
[2004/10/15 11:11:09, 2] lib/smbldap.c:smbldap_search_domain_info(1319) 
  Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CORP1))] 
[2004/10/15 11:11:09, 5] lib/smbldap.c:smbldap_search(963) 
  smbldap_search: base => [dc=borkholder,dc=com], filter => 
[(&(objectClass=sambaDomain)(sambaDomainName 
=CORP1))], scope => [2] 
[2004/10/15 11:11:09, 10] lib/smbldap.c:smbldap_open_connection(542) 
  smbldap_open_connection: ldap://localhost 
[2004/10/15 11:11:09, 2] lib/smbldap.c:smbldap_open_connection(638) 
  smbldap_open_connection: connection opened 
[2004/10/15 11:11:09, 10] lib/smbldap.c:smbldap_connect_system(769) 
  ldap_connect_system: Binding to ldap server ldap://localhost as 
"cn=Manager,dc=borkholder,dc=com" 
[2004/10/15 11:11:09, 3] lib/smbldap.c:smbldap_connect_system(804) 
  ldap_connect_system: succesful connection to the LDAP server 
[2004/10/15 11:11:09, 4] lib/smbldap.c:smbldap_open(855) 
  The LDAP server is succesfully connected 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:make_pdb_methods_name(672) 
  pdb backend ldapsam:ldap://localhost has a valid init 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:make_pdb_methods_name(648) 
  Attempting to find an passdb backend to match guest (guest) 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:make_pdb_methods_name(669) 
  Found pdb backend guest 
[2004/10/15 11:11:09, 5] passdb/pdb_interface.c:make_pdb_methods_name(672) 
  pdb backend guest has a valid init
Comment 2 Misty Stanley-Jones 2004-10-17 13:17:50 UTC 
The problem goes away when I map gid=0 to SID=Domain Admins.  I don't know if 
this is a bug or not.
Comment 3 Misty Stanley-Jones 2005-01-10 07:25:40 UTC 
This was a config error and I forgot to come back and close it.