Bug 3027 - missing groups in active directory accounts
missing groups in active directory accounts
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.14a
All Linux
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-23 01:41 UTC by Mario Abajo
Modified: 2005-11-17 06:39 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mario Abajo 2005-08-23 01:41:51 UTC
I have a linux machine added to a windows 2000 (non native mode) domain with
2000+ users. This machine have some shared resources that some users can access
and some not, the problem is that people who don't have access is because
winbind doesn't retrieve all the groups (or in some times incorrect groups
numbers). I tried this with different results:

# wbinfo -r mario.abajo
1013
1501
7194
7213
17789
# id mario.abajo
uid=16295(mario.abajo) gid=1013(group1)
grupos=1013(group1),7194(group2),7213(group3),
1501(group4),8436(group5),9622(group6),16286(group7),
17789(group8),17800(group9)

As you can see there are missing groups, this happend with users with several
groups, this recently user for example doesn't have that problem:

# wbinfo -r usuario.5631
508
1013
17800
# id usuario.5631
uid=3707(usuario.5631) gid=1013(group1) grupos=1013(group1),17800(group9)

508 is the "BUILTIN\users" group, i don't know if this have to be like that but
it works.

I'm using a Debian Sarge 3.1r0 with the "sernet samba version" 
# smbd -V
Version 3.0.14a-SerNet-Debian

My smb.conf configration:

[global]
        workgroup = DOMAIN
        realm = DOMAIN.ES
        netbios name = SRV-DEB
        server string = Servidor debian
        security = ADS
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        password server = srv1.domain.es, srv2.domain.es
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        log level = 2
        syslog = 0
        os level = 65
        log file = /var/log/samba/log.%m
        max log size = 1000
        smb ports = 139 445
        load printers = No
        obey pam restrictions = yes
        printcap name = /etc/printcap
        ldap ssl = start tls
        panic action = /usr/share/samba/panic-action %d
        allow trusted domains = no
        idmap backend = idmap_rid:INECO=500-100000000
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        print command = lp -d%p -oraw %s; rm %s
        queuepause command = disable %p
        queueresume command = enable %p
        socket options = TCP_NODELAY
        winbind cache time = 600
        winbind separator = /
        winbind enum users = no
        winbind enum groups = yes
        winbind nested groups = yes
        nt acl support = yes

[files]
        comment = Fichero
        path = /mnt/datos
        admin users = DOMAIN/mario.abajo
        writable = yes
        map acl inherit = yes
        inherit acls = yes

The debian normal packages have the same problem, but i tried a red hat
enterprise 4 with samba version 3.0.10 and doesn't suffer from this bug.

Thanks for all
Comment 1 Gerald (Jerry) Carter 2005-09-29 08:43:32 UTC
please retest againsty 3.0.20a.  Should be fixed now.
Comment 2 Mario Abajo 2005-10-03 00:55:08 UTC
(In reply to comment #1)
> please retest againsty 3.0.20a.  Should be fixed now.

I have tested the new packages 
# smbd -V
Version 3.0.20-SerNet-Debian
and with the same configuration that is in the first post, and i got this:

# wbinfo -r DOMAIN/a_user
1013
13305
7213
1501
15615
17919
17152
17800
17789
7194
# id DOMAIN/a_user
uid=8745(DOMAIN/a_user) gid=1013(DOMAIN/Usuarios del dominio)
groups=1013(DOMAIN/Usuarios del
dominio),7194(DOMAIN/group1),7213(DOMAIN/group2),1501(DOMAIN/group3),
10086(DOMAIN/group4),8436(DOMAIN/group5),12767(DOMAIN/group6),
16286(DOMAIN/group7),16302(DOMAIN/group8),15615(DOMAIN/group9),
17152(DOMAIN/group10),17789(DOMAIN/group11),17800(DOMAIN/group12),
17919(DOMAIN/group13)

For security reasons the name of the user and its member groups have to be changed.
As you can see the problem continues, now i will give you the exit of the same
commands in a RedHat Entreprisse Linux AS 4 with 

# smbd -V
Version 3.0.10-1.4E

with this configuration:

[global]
        workgroup = DOMAIN
        realm = DOMAIN.ES
        netbios name = DEMO_CLUS
        server string = Servidor de ficheros
        security = ADS
        password server = srv1.domain.es srv2.domain.es
        load printers = No
        obey pam restrictions = yes
        allow trusted domains = no
#       idmap backend = idmap_rid:DOMAIN=500-100000000
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        socket options = TCP_NODELAY
        winbind cache time = 600
        winbind separator = /
        winbind enum users = yes
        winbind enum groups = yes
#       winbind nested groups = yes
        template shell = /bin/false
        winbind use default domain = no
        map acl inherit = yes
        inherit acls = Yes
        log level = 2

[datos]
        path = /mnt/san_gfs
        writeable = yes

The configuration is very similar to the one in the first post, the major
significant different is the ausence of the idmap_rid module, that make the
number of the groups to be different

# wbinfo -r DOMAIN/a_user
500
501
502
517
592
593
623
771
776
778
805
# id DOMAIN/a_user
uid=2553(DOMAIN/a_user) gid=500(DOMAIN/Usuarios del dominio)
grupos=500(DOMAIN/Usuarios del
dominio),501(DOMAIN/group1),502,517(DOMAIN/group8),592(DOMAIN/group2),
593(DOMAIN/group3),623(DOMAIN/group4),771(DOMAIN/group5),
776(DOMAIN/group7),778(DOMAIN/group9),805(DOMAIN/group6)

This last version is perfectly funcional, while the 3.0.14a and now the 3.0.20
dont coincide in the groups showed by winbind. For that reason, the shares with
acl's received "permission denied", priviledges different from the one the
should have. 
If you need any other information like a log please tell me, and thanks a lot.
Comment 3 Gerald (Jerry) Carter 2005-11-15 09:23:23 UTC
Please retest against 3.0.21rc1.  I expect Guenther's recent PAC work 
to resolve this.
Comment 4 Mario Abajo 2005-11-16 07:14:35 UTC
Now it works perfectly, :))))))))))))))))))))))))))))))))))))
I hope to see this version soon in sernet.
Thanks a lot
Comment 5 Gerald (Jerry) Carter 2005-11-17 06:39:19 UTC
The target date for the final 3.0.21 release is the end of this month.