netgroups cannot be used for host access control. This means
hosts allow = @group
will not work under the following circumstances:
samba-3.0.20 compiled against OpenLDAP 2.2.17
Sun Solaris 9 using SUN ONE DS 5.2 LDAP server
Using SUN's nss_ldap.so for host OS LDAP queries.
An error message is output to /var/adm/messages:
Aug 19 14:44:42 spock smbd: [ID 293258 user.error] libsldap:Status: 7
Mesg: LDAP ERROR (-7): Bad search filter.
and the LDAP query never occurs and host access is always denied.
On digging into the code, samba uses the innetgr() library function to test if a
host is in a netgroup. This function is provided by libc.so on Solaris. The
stack then continues through the nss_* code depending on the directory service
used by the host. In the case of LDAP, nss_ldap.so is used which generates an
LDAP query using functions in libsldap.so. It is here that the error message is
To try and debug this I've built a test program which uses innetgr. When linked
without OpenLDAP libraries, it works as expected. Link the same program with the
OpenLDAP libraries and it fails and the error message is generated.
My thinking is that a function (possibly ldap_search) in the OpenLDAP library
does not like the search filter argument passed to it via nss_ldap.so and
libsldap.so and returns an error to libsldap.so which logs it so syslog.
Possible fixes would include being able to compile samba using the Solaris
client LDAP libraries instead of OpenLDAP, rewrite the netgroup match function
to use ldap calls directly instead of going through the host's nss_* subsystem
or (as in samba 4) implement just the minimum required LDAP client functionality
Created attachment 1442 [details]
Test program to show the bug
compile using cc -o netgroup_test netgroup_test.c to show netgroups working
fine against a SUN ONE directory server.
comple using cc -o netgroup_test netgroup_test.c -L/usr/local/lib -lldap -llber
to show the error condition. Error message will go to syslog and on a default
setup, appear in /var/adm/messages.
netgroups - what a strange invention :-). Thanks for pointing this out!
As you say: this looks like an OpenLDAP limitation. Samba can be compiled against the Netscape LDAP libs on Solaris since a while now. For the remaining limitiations of the Netscape LDAP support there are one or two other bug reports open.