Bug 2579 - smbd doesn't set secondary group list properly
Summary: smbd doesn't set secondary group list properly
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.10
Hardware: x86 Linux
: P3 critical
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-04-06 04:00 UTC by Albrecht Dreß
Modified: 2005-04-06 06:24 UTC (History)
0 users

See Also:

smb.conf file (sensitive info replaced) (7.50 KB, text/plain)
2005-04-06 04:07 UTC, Albrecht Dreß
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Albrecht Dreß 2005-04-06 04:00:13 UTC
My setup uses the Samba box as member of a larger Active Directory domain.

To grant a group of users access to all subfolders of a domain, I added to


Running id -G MYDOMAIN_user1 results in

10000 1001 10006 10007 10004 10005 10125 10190

getent passwd MYDOMAIN_user1 says

MYDOMAIN_user1:*:10000:10000:Dress, Albrecht:/my/home/folder:/bin/bash

1st puzzling thing: the result of running 
wbinfo -r MYDOMAIN_user1

Now I created and exported a folder with the following setup:

ls -l shared_folder
dr-xr-s---  2 MYDOMAIN_user1  local_admin 128 Apr  4 14:08 user1
dr-xr-s---  2 MYDOMAIN_user2  local_admin 154 Apr  1 16:14 user2

Although user1 is a member of the group local_admin (and is able, if looged in
via ssh, to access the folder user2 with unix commands), trying to open the
subfolder user2 always results in a "permission denied" error.

Running smbd in strace, the following calls to setresuid, setresgid and
setgroups occurr immediately before the failed accesses:

grep '\(set.*[ug]id\|Permission\|setgroups\)' smb-test
[...parts of the output snipped]
[pid  3513] setresuid32(0, 0, -1)       = 0
[pid  3513] setgroups32(8, [10000, 10001, 10002, 10003, 10004, 10005, 10006,
10007]) = 0
[pid  3513] setresgid32(-1, 10000, -1)  = 0
[pid  3513] setresuid32(10000, 10000, -1) = 0
[pid  3513] stat64("user2/Desktop.ini", 0xbfffeea0) = -1 EACCES (Permission denied)

Obviously, the list of secondary groups set is the list as returned by wbinfo
-r, but Linux doesn't know all, and the local admin group (id 1001) is missing.

Comment 1 Albrecht Dreß 2005-04-06 04:07:28 UTC
Created attachment 1142 [details]
smb.conf file (sensitive info replaced)
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-04-06 06:24:50 UTC
The behavior is by design.  As a performance optimization,
smbd uses direct winbind calls to obtain group membership 
for a Windows user.  Therefore not mixing membership with 
groups listed in /etc/group.

You can however use a nested local groups.  See 
the smb.conf(5) man page on 'winbind nested groups'