I've winbindd running on Samba 3.0.11, and everything seems basically correct, however, when I run getent group, the group DOMAIN+domain users has no members listed. But if I do id CORP+nastest I get this: uid=10112(CORP+nastest) gid=10011(CORP+domain users) groups=10011(CORP+domain users) even though getent is showing: CORP+domain users:x:10011: This a known issue with Windows 2003 AS. It doesn't seem to happen with win2k. It is reproduceable and mostly harmless, I guess.
Gerry sez: Currently AD doesn't give us back the user list for 'domain users' when security = ads. We need to use ranged results from the discussion last week.
I've another issue that may be related; Windows 2003 SP1 groups are not correctly mapping users, so if the only share access is by group the user can't get access, even though he is in the group. Email paste: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This machine is connected to a windows 2003 ADS server with SP1 and doesn't show the members of domain users, could that be related? - -tom Tom Dickson wrote: | I've a machine, and users if granted permission work, but if I grant a | group | permissions, the user can't get access, even though both winbind and | getent report | that he is in that group. | | Examples: | | [CAD_BU2] | ~ comment = CAD_BU | ~ path = /mnt/H05/CAD_BU | ~ valid users = @THG+mis_group | ~ admin users = @THG+mis_group | ~ write list = @THG+mis_group | | User THG+ralphg cannot get access to this share, even though getent | group reports: | | THG+mis_group:x:10005:THG+sysadmin,THG+ralphg | | [2005/05/13 15:05:18, 2] smbd/service.c:make_connection_snum(311) | ~ user 'THG+ralphg' (from session setup) not permitted to access this | share (CAD_BU2) | | is the error given. IT looks like this part is what fails: | | | [2005/05/13 15:05:58, 5] lib/username.c:user_in_netgroup_list(319) | ~ looking for user THG+ralphg of domain in netgroup THG+mis_group | [2005/05/13 15:05:58, 5] lib/username.c:user_in_netgroup_list(335) | ~ looking for user thg+ralphg of domain in netgroup THG+mis_group | [2005/05/13 15:05:58, 2] smbd/service.c:make_connection_snum(311) | | | Why does that fail? He's in the group. The domain is blank. Should that | be blank? | | ~ Finding user THG+ralphg | [2005/05/13 15:07:48, 5] lib/username.c:Get_Pwnam_internals(223) | ~ Trying _Get_Pwnam(), username as lowercase is thg+ralphg | [2005/05/13 15:07:48, 5] lib/username.c:Get_Pwnam_internals(230) | ~ Trying _Get_Pwnam(), username as given is THG+ralphg | [2005/05/13 15:07:48, 5] lib/username.c:Get_Pwnam_internals(239) | ~ Trying _Get_Pwnam(), username as uppercase is THG+RALPHG | [2005/05/13 15:07:48, 5] lib/username.c:Get_Pwnam_internals(247) | ~ Checking combinations of 0 uppercase letters in thg+ralphg | [2005/05/13 15:07:48, 5] lib/username.c:Get_Pwnam_internals(251) | ~ Get_Pwnam_internals didn't find user [THG+ralphg]! | [2005/05/13 15:07:48, 5] lib/username.c:Get_Pwnam(293) | ~ Finding user ralphg | [2005/05/13 15:07:48, 5] lib/username.c:Get_Pwnam_internals(223) | | If I set the share to allow THG+ralphg it works fine. Something is | borked. I'm | going to try restarting the samba machine. | | | | | [2005/05/13 15:05:18, 2] auth/auth.c:check_ntlm_password(300) | ~ check_ntlm_password: authentication for user [ralphg] -> [ralphg] -> | [THG+ralphg] succeeded | [2005/05/13 15:05:18, 2] smbd/service.c:make_connection_snum(311) | ~ user 'THG+ralphg' (from session setup) not permitted to access this | share (CAD_BU2) | [2005/05/13 15:05:18, 2] smbd/server.c:exit_server(609) | ~ Closing connections | [2005/05/13 15:05:58, 4] lib/username.c:map_username(132) | ~ Scanning username map /etc/samba/smbusers | [2005/05/13 15:05:58, 5] auth/auth_util.c:make_user_info_map(224) | ~ make_user_info_map: Mapping user [THG]\[ralphg] from workstation | [TRADINGPOST1] | [2005/05/13 15:05:58, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(190) | ~ trusted domain THG found (S-1-5-21-4188769941-2733485633-2696997122) | [2005/05/13 15:05:58, 5] auth/auth_util.c:make_user_info(133) | ~ attempting to make a user_info for ralphg (ralphg) | [2005/05/13 15:05:58, 5] auth/auth_util.c:make_user_info(143) | ~ making strings for ralphg's user_info struct | [2005/05/13 15:05:58, 5] auth/auth_util.c:make_user_info(185) | ~ making blobs for ralphg's user_info struct | [2005/05/13 15:05:58, 3] auth/auth.c:check_ntlm_password(218) | ~ check_ntlm_password: Checking password for unmapped user | [THG]\[ralphg]@[TRADINGPOST1] with the new password interface | [2005/05/13 15:05:58, 3] auth/auth.c:check_ntlm_password(221) | ~ check_ntlm_password: mapped user is: [THG]\[ralphg]@[TRADINGPOST1] | [2005/05/13 15:05:58, 5] lib/util.c:dump_data(1990) | ~ [000] C5 34 F4 6A E4 54 28 86 .4.j.T(. | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:push_sec_ctx(255) | ~ push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 | [2005/05/13 15:05:58, 3] smbd/uid.c:push_conn_ctx(364) | ~ push_conn_ctx(0) : conn_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:set_sec_ctx(287) | ~ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_nt_user_token(486) | ~ NT user token: (NULL) | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_unix_user_token(507) | ~ UNIX token of user 0 | ~ Primary group is 0 and contains 0 supplementary groups | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:pop_sec_ctx(385) | ~ pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0000 ptr_user_info : 00020004 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0004 low : 6637e47c | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0008 high: 01c557f6 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 000c low : ffffffff | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0010 high: 7fffffff | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0014 low : ffffffff | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0018 high: 7fffffff | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 001c low : b5e89573 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0020 high: 01c4ecec | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0024 low : e0525573 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0028 high: 01c4edb5 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 002c low : ffffffff | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0030 high: 7fffffff | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0034 uni_str_len: 000c | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0036 uni_max_len: 000e | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0038 buffer : 00020008 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 003c uni_str_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 003e uni_max_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0040 buffer : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0044 uni_str_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0046 uni_max_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0048 buffer : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 004c uni_str_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 004e uni_max_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0050 buffer : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0054 uni_str_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0056 uni_max_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0058 buffer : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 005c uni_str_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 005e uni_max_len: 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0060 buffer : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0064 logon_count : 0988 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0066 bad_pw_count : 0000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0068 user_rid : 00000471 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 006c group_rid : 00000201 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0070 num_groups : 00000005 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0074 buffer_groups : 0002000c | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0078 user_flgs : 00000120 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8s(729) | ~ 007c user_sess_key: c6 fe b8 e9 48 95 56 88 d2 35 18 22 a9 cc | b9 c2 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 008c uni_str_len: 000a | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 008e uni_max_len: 000c | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0090 buffer : 00020010 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0094 uni_str_len: 0006 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint16(613) | ~ 0096 uni_max_len: 0008 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0098 buffer : 00020014 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 009c buffer_dom_id : 00020018 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8s(729) | ~ 00a0 lm_sess_key: 5d 56 73 24 ba 3c ce f8 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00a8 acct_flags : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00ac unkown: 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00b0 unkown: 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00b4 unkown: 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00b8 unkown: 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00bc unkown: 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00c0 unkown: 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00c4 unkown: 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00c8 num_other_sids: 00000002 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00cc buffer_other_sids: 0002001c | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00d0 uni_max_len: 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00d4 offset : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00d8 uni_str_len: 00000006 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814) | ~ 00dc buffer : R.a.l.p.h.G. | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00e8 num_groups2 : 00000005 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00ec g_rid: 00000201 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00f0 attr : 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00f4 g_rid: 0000049a | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00f8 attr : 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 00fc g_rid: 00000200 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0100 attr : 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0104 g_rid: 0000047f | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0108 attr : 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 010c g_rid: 00000207 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0110 attr : 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0114 uni_max_len: 00000006 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0118 offset : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 011c uni_str_len: 00000005 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814) | ~ 0120 buffer : T.H.G.D.C. | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 012c uni_max_len: 00000004 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0130 offset : 00000000 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0134 uni_str_len: 00000003 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814) | ~ 0138 buffer : T.H.G. | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0140 num_auths: 00000004 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0144 sid_rev_num: 01 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0145 num_auths : 04 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0146 id_auth[0] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0147 id_auth[1] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0148 id_auth[2] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0149 id_auth[3] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 014a id_auth[4] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 014b id_auth[5] : 05 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32s(869) | ~ 014c sub_auths : 00000015 f9ab8e95 a2edae41 a0c0e902 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 015c num_other_sids: 00000002 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0160 sid_ptr: 00000001 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0164 attribute: 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0168 sid_ptr: 00000001 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 016c attribute: 00000007 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0170 num_auths: 00000005 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0174 sid_rev_num: 01 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0175 num_auths : 05 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0176 id_auth[0] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0177 id_auth[1] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0178 id_auth[2] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0179 id_auth[3] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 017a id_auth[4] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 017b id_auth[5] : 05 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32s(869) | ~ 017c sub_auths : 00000015 f9ab8e95 a2edae41 | a0c0e902 00000488 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32(642) | ~ 0190 num_auths: 00000005 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0194 sid_rev_num: 01 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0195 num_auths : 05 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0196 id_auth[0] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0197 id_auth[1] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0198 id_auth[2] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 0199 id_auth[3] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 019a id_auth[4] : 00 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint8(584) | ~ 019b id_auth[5] : 05 | [2005/05/13 15:05:58, 5] rpc_parse/parse_prs.c:prs_uint32s(869) | ~ 019c sub_auths : 00000015 f9ab8e95 a2edae41 | a0c0e902 000003ea | [2005/05/13 15:05:58, 4] lib/username.c:map_username(132) | ~ Scanning username map /etc/samba/smbusers | [2005/05/13 15:05:58, 5] lib/username.c:Get_Pwnam(293) | ~ Finding user THG+ralphg | [2005/05/13 15:05:58, 5] lib/username.c:Get_Pwnam_internals(223) | ~ Trying _Get_Pwnam(), username as lowercase is thg+ralphg | [2005/05/13 15:05:58, 5] lib/username.c:Get_Pwnam_internals(251) | ~ Get_Pwnam_internals did find user [THG+ralphg]! | [2005/05/13 15:05:58, 5] auth/auth_util.c:fill_sam_account(993) | ~ fill_sam_account: located username was [THG+ralphg] | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:push_sec_ctx(255) | ~ push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 | [2005/05/13 15:05:58, 3] smbd/uid.c:push_conn_ctx(364) | ~ push_conn_ctx(0) : conn_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:set_sec_ctx(287) | ~ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_nt_user_token(486) | ~ NT user token: (NULL) | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_unix_user_token(507) | ~ UNIX token of user 0 | ~ Primary group is 0 and contains 0 supplementary groups | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:pop_sec_ctx(385) | ~ pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 4] lib/substitute.c:automount_server(335) | ~ Home server: tradingpost1 | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_unix_user_token(507) | ~ UNIX token of user 10009 | ~ Primary group is 10000 and contains 5 supplementary groups | ~ Group[ 0]: 10000 | ~ Group[ 1]: 10005 | ~ Group[ 2]: 10007 | ~ Group[ 3]: 10019 | ~ Group[ 4]: 10020 | [2005/05/13 15:05:58, 3] auth/auth.c:check_ntlm_password(267) | ~ check_ntlm_password: winbind authentication for user [ralphg] succeeded | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:push_sec_ctx(255) | ~ push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 | [2005/05/13 15:05:58, 3] smbd/uid.c:push_conn_ctx(364) | ~ push_conn_ctx(0) : conn_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:set_sec_ctx(287) | ~ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_nt_user_token(486) | ~ NT user token: (NULL) | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_unix_user_token(507) | ~ UNIX token of user 0 | ~ Primary group is 0 and contains 0 supplementary groups | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:pop_sec_ctx(385) | ~ pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 5] auth/auth.c:check_ntlm_password(291) | ~ check_ntlm_password: PAM Account for user [THG+ralphg] succeeded | [2005/05/13 15:05:58, 2] auth/auth.c:check_ntlm_password(300) | ~ check_ntlm_password: authentication for user [ralphg] -> [ralphg] -> | [THG+ralphg] succeeded | [2005/05/13 15:05:58, 5] auth/auth_util.c:free_user_info(1348) | ~ attempting to free (and zero) a user_info structure | [2005/05/13 15:05:58, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) | ~ NTLMSSP Sign/Seal - Initialising with flags: | [2005/05/13 15:05:58, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) | ~ Got NTLMSSP neg_flags=0x60080215 | ~ NTLMSSP_NEGOTIATE_UNICODE | ~ NTLMSSP_REQUEST_TARGET | ~ NTLMSSP_NEGOTIATE_SIGN | ~ NTLMSSP_NEGOTIATE_NTLM | ~ NTLMSSP_NEGOTIATE_NTLM2 | ~ NTLMSSP_NEGOTIATE_128 | ~ NTLMSSP_NEGOTIATE_KEY_EXCH | [2005/05/13 15:05:58, 3] smbd/password.c:register_vuid(222) | ~ User name: THG+ralphg Real name: | [2005/05/13 15:05:58, 3] smbd/password.c:register_vuid(241) | ~ UNIX uid 10009 is UNIX user THG+ralphg, and will be vuid 100 | [2005/05/13 15:05:58, 3] smbd/password.c:register_vuid(269) | ~ Adding homes service for user 'THG+ralphg' using home directory: | '/dev/null' | [2005/05/13 15:05:58, 3] smbd/process.c:process_smb(1091) | ~ Transaction 3 of length 94 | [2005/05/13 15:05:58, 5] lib/util.c:show_msg(464) | [2005/05/13 15:05:58, 5] lib/util.c:show_msg(467) | ~ size=90 | ~ smb_com=0x75 | ~ smb_rcls=0 | ~ smb_reh=0 | ~ smb_err=0 | ~ smb_flg=8 | ~ smb_flg2=51201 | ~ smb_tid=0 | ~ smb_pid=26340 | ~ smb_uid=100 | ~ smb_mid=4 | ~ smt_wct=4 | ~ smb_vwv[ 0]= 255 (0xFF) | ~ smb_vwv[ 1]= 0 (0x0) | ~ smb_vwv[ 2]= 0 (0x0) | ~ smb_vwv[ 3]= 1 (0x1) | ~ smb_bcc=47 | [2005/05/13 15:05:58, 3] smbd/process.c:switch_message(886) | ~ switch message SMBtconX (pid 26341) conn 0x0 | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:set_sec_ctx(287) | ~ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_nt_user_token(486) | ~ NT user token: (NULL) | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_unix_user_token(507) | ~ UNIX token of user 0 | ~ Primary group is 0 and contains 0 supplementary groups | [2005/05/13 15:05:58, 5] smbd/uid.c:change_to_root_user(295) | ~ change_to_root_user: now uid=(0,0) gid=(0,0) | [2005/05/13 15:05:58, 4] smbd/reply.c:reply_tcon_and_X(407) | ~ Client requested device type [?????] for share [CAD_BU2] | [2005/05/13 15:05:58, 5] smbd/service.c:make_connection(810) | ~ making a connection to 'normal' service cad_bu2 | [2005/05/13 15:05:58, 5] lib/username.c:user_in_netgroup_list(319) | ~ looking for user THG+ralphg of domain in netgroup THG+mis_group | [2005/05/13 15:05:58, 5] lib/username.c:user_in_netgroup_list(335) | ~ looking for user thg+ralphg of domain in netgroup THG+mis_group | [2005/05/13 15:05:58, 2] smbd/service.c:make_connection_snum(311) | ~ user 'THG+ralphg' (from session setup) not permitted to access this | share (CAD_BU2) | [2005/05/13 15:05:58, 3] smbd/error.c:error_packet(105) | ~ error string = No such file or directory | [2005/05/13 15:05:58, 3] smbd/error.c:error_packet(125) | ~ error packet at smbd/reply.c(415) cmd=117 (SMBtconX) | NT_STATUS_ACCESS_DENIED | [2005/05/13 15:05:58, 5] lib/util.c:show_msg(464) | [2005/05/13 15:05:58, 5] lib/util.c:show_msg(467) | ~ size=35 | ~ smb_com=0x75 | ~ smb_rcls=34 | ~ smb_reh=0 | ~ smb_err=49152 | ~ smb_flg=136 | ~ smb_flg2=51201 | ~ smb_tid=0 | ~ smb_pid=26340 | ~ smb_uid=100 | ~ smb_mid=4 | ~ smt_wct=0 | ~ smb_bcc=0 | [2005/05/13 15:05:58, 3] smbd/process.c:timeout_processing(1334) | ~ timeout_processing: End of file from client (client has disconnected). | [2005/05/13 15:05:58, 5] lib/gencache.c:gencache_shutdown(88) | ~ Closing cache file | [2005/05/13 15:05:58, 5] libsmb/namecache.c:namecache_shutdown(79) | ~ namecache_shutdown: netbios namecache closed successfully. | [2005/05/13 15:05:58, 3] smbd/sec_ctx.c:set_sec_ctx(287) | ~ setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_nt_user_token(486) | ~ NT user token: (NULL) | [2005/05/13 15:05:58, 5] auth/auth_util.c:debug_unix_user_token(507) | ~ UNIX token of user 0 | ~ Primary group is 0 and contains 0 supplementary groups | [2005/05/13 15:05:58, 5] smbd/uid.c:change_to_root_user(295) | ~ change_to_root_user: now uid=(0,0) gid=(0,0) | [2005/05/13 15:05:58, 2] smbd/server.c:exit_server(609) | ~ Closing connections | [2005/05/13 15:05:58, 5] auth/auth_util.c:free_server_info(1374) | ~ attempting to free (and zero) a server_info structure | [2005/05/13 15:05:58, 3] smbd/connection.c:yield_connection(69) | ~ Yielding connection to | [2005/05/13 15:05:58, 5] smbd/oplock.c:receive_local_message(107) | ~ receive_local_message: doing select with timeout of 1 ms | [2005/05/13 15:05:58, 3] smbd/server.c:exit_server(652) | ~ Server exit (normal exit) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFChQne2dxAfYNwANIRAlQMAJ9ykIu5C86WXa1VbCdB6Fy3nz0kAwCghEjz lrF6xvC4g/Gts1iC1vP/AWg= =QstY -----END PGP SIGNATURE-----
We're having similar problems, but not just with "Domain Users" group. In our case, "getent group" shows the proper groups and membership information, but "id" has some confusion. "id username" shows the correct groups no matter who it's run as, but "id" run by the user sometimes has groups missing. It's always the same groups missing for the same people, but not always the same groups for all people. As a result, people who are in a group cannot even "cd" into a directory that is locked down (770) to a group their a member of. It's quite frustrating. Oh, and our server is a RH9 (Fedora Legacy) box, running the latest 3.0.15pre2 package from samba.org. :(
This seems to be a service pack 1 issue on Windows 2003. I have not had time to reproduce this in my lab, but the problem is still extant at the customer site. I will try to reproduce this week.
Indeed. We were having no problems on any of our Linux servers (all ADS domain members) until we rolled out SP1.
I think comment #3 may in fact be a separate bug, so I'm going to file it separately.
*** Bug 2746 has been marked as a duplicate of this bug. ***
(In reply to comment #5) > Indeed. We were having no problems on any of our Linux servers (all ADS domain > members) until we > rolled out SP1. Us too .. I think microsoft did this on purpose they broke the ability to use the groups on 2003 GC/FRS AD groups to samba on purpose. Even checkpoint released a patch to talk to the sp1 2003 servers on secureplatform it seems to change the ldap format alot.
Volker and I have done a lot of work surrounding this for 3.0.23. However, the decision has been made to disable 'winbind enum users/groups' by default due to inconsistencies in how Windows DCs behave. Tools such as 'id' should be guaranteed to woek when run as the user but not 'id user' since the latter involves enumeration. Please retest the SAMBA_3_0 tree if you can. or else 3.0.23pre1 once it is released.