netgroups cannot be used for host access control. This means hosts allow = @group will not work under the following circumstances: samba-3.0.20 compiled against OpenLDAP 2.2.17 Sun Solaris 9 using SUN ONE DS 5.2 LDAP server Using SUN's nss_ldap.so for host OS LDAP queries. An error message is output to /var/adm/messages: Aug 19 14:44:42 spock smbd[1006]: [ID 293258 user.error] libsldap:Status: 7 Mesg: LDAP ERROR (-7): Bad search filter. and the LDAP query never occurs and host access is always denied. On digging into the code, samba uses the innetgr() library function to test if a host is in a netgroup. This function is provided by libc.so on Solaris. The stack then continues through the nss_* code depending on the directory service used by the host. In the case of LDAP, nss_ldap.so is used which generates an LDAP query using functions in libsldap.so. It is here that the error message is generated. To try and debug this I've built a test program which uses innetgr. When linked without OpenLDAP libraries, it works as expected. Link the same program with the OpenLDAP libraries and it fails and the error message is generated. My thinking is that a function (possibly ldap_search) in the OpenLDAP library does not like the search filter argument passed to it via nss_ldap.so and libsldap.so and returns an error to libsldap.so which logs it so syslog. Possible fixes would include being able to compile samba using the Solaris client LDAP libraries instead of OpenLDAP, rewrite the netgroup match function to use ldap calls directly instead of going through the host's nss_* subsystem or (as in samba 4) implement just the minimum required LDAP client functionality directly.
Created attachment 1442 [details] Test program to show the bug compile using cc -o netgroup_test netgroup_test.c to show netgroups working fine against a SUN ONE directory server. comple using cc -o netgroup_test netgroup_test.c -L/usr/local/lib -lldap -llber to show the error condition. Error message will go to syslog and on a default setup, appear in /var/adm/messages.
netgroups - what a strange invention :-). Thanks for pointing this out! As you say: this looks like an OpenLDAP limitation. Samba can be compiled against the Netscape LDAP libs on Solaris since a while now. For the remaining limitiations of the Netscape LDAP support there are one or two other bug reports open.