Bug 2273 - User name including domain still valid with use default domain yes, broken groups
Summary: User name including domain still valid with use default domain yes, broken gr...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.10
Hardware: All Linux
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-21 08:57 UTC by Dave Falloon
Modified: 2007-04-14 17:30 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Falloon 2005-01-21 08:57:35 UTC 
Quick Summary:

Windows clients connect to a share as DOMAIN+user, winbind sees this as a valid
user, but when checking groups the user is listed as simply user without the
domain for the group, which does not match DOMAIN+user, so group membership is
broken with use default domain = yes.

Here's the technical background:

Debian 3.0 Woody Box
Samba 3.0.10-1 deb package
Win2k AD
security = ADS
MIT kerberos

Here's the trouble, if I set up a share such as this:

[shared]
comment = Network Drive
path = /home/shared
valid users = @testgroup, @"DOMAIN+testgroup"
read only = no
browseable = yes

and I try to connect as my test user account, test which is in the test group as
verified like so:

styx~# getent group |grep test
Domain Users:x:15002:test
testgroup:x:15010:test
styx~#

The primary group for the test user is domain users, the secondary group is
testgroup.  Thats all working, if I run id on test it shows all the groups:

styx:~# id test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users),15010(testgroup)

Here's were everything breaks down.  If you connect to the share from a windows
2000 machine while logged in as test the password box pops telling me I'm denied
access.  Here is the auth log for the connection:

[2005/01/20 16:05:29, 2] smbd/service.c:make_connection_snum(314)
  user 'DOMAIN+test' (from session setup) not permitted to access this share
(shared)

So I thought hmm, I wonder if its failing because it thinks that DOMAIN+test is
a different user than test.  If I run id on the DOMAIN+test user I get this:

styx:~# id DOMAIN+test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users)

Same UID and same primary GID, but when searching the group file for the
username DOMAIN+test, it rightfully finds no entries because winbind has
stripped the domain from all users.

--Dave
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-01-21 09:13:23 UTC 
I hate 'winbind use default domain'.  I'll look into this.
Comment 2 Dave Falloon 2005-01-21 10:22:41 UTC 
I hear ya, but don't get too down, it works beautifully for email and all the
other applications, just some minor wrinkles, but other than that its FRIGGIN
AWESOME!! 

I'm scripting a work around for myself until a patch is out.  If you need any
data, debug logs, version information, etc, let me know.

Possibly helpful idea:

I'm not a coder, just a lowly computer janitor so the following idea may not be
tractable, but could you do something like this:

if the setting is enabled, and a computer attempts a connection, smbd must be
handing the username over to winbind, with the domain, can winbind hand back the
username without the domain?  

I don't really know if thats how it works, it could be more of a smbd asks
winbind is this guy real, yes or no and winbind only returns a yes or no.

Anyways thanks,

--Dave
Comment 3 Gerald (Jerry) Carter (dead mail address) 2007-04-14 17:30:33 UTC 
Should be fixed post 3.0.23.