3460 – failed to match on user or group in token with LDAP

Bug 3460 - failed to match on user or group in token with LDAP

Summary: failed to match on user or group in token with LDAP

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	User/Group Accounts (show other bugs)
Version:	3.0.20b
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-01-28 10:06 UTC by Yasuhiro Fujii
Modified:	2008-12-17 18:40 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yasuhiro Fujii 2006-01-28 10:06:42 UTC

I setup samba3.0.20b (PDC) with openldap.
I created many samba and posix groups.
And many users can't to connect shares.

samba(and posix) groups are

posix gid from 30100 (cn is g30100) to 40100 (cn is g40100) mapping to samba SID from S-1-5-21-148211337-xxxxx-xxxxxxx-61201 to S-1-5-21-148211337-xxxxxx-xxxxxx-81205
(x is number but I want to hide for security reason.)

Users belong to posix gid 30100 to 30599 has no problem.
But posix gid from 30600 to 40100 is invalid.

User ken belongs to posix and samba groups from 30100 to 40100.
(He belongs to all groups.) 
And I check Ken's groups.

net user INFO ken
Domain Users         
g00100               
g00101               
g00103               
g00106               
g00108  
(cut cut)
g00506               
g00508 

Just end.
I don't know the reason why ken should be blonged from g00600 to g04100.
I can't get normal group list.
And I checked groups.

net rpc group
Password:
Domain Admins
Domain Users
Domain Guests
Domain Computers
g00100
g00101
g00102
g00103
(cut cut)
g40100

I can get all groups list.
Finally I checked g00600 members.

net rpc group MEMBERS g00600
TEST-DOM\ken

I can get normal g00600 members using net rpc command
I can't use smb.conf below.
ken can't connect to this share for access error.
smbd can't get g00600 information,too.

[test-share]
path = /test/
browseable = No
read only = No
valid users = @g00600,root
write list = @g00600
read list = g00601
create mask = 664
directory mask = 775

#log.smbd
[2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode(294)
  dos_mode: .
[2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4069)
  check_posix_acl_group_write: file . failed to match on user or group in token (ret = -1).
[2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4078)
  check_posix_acl_group_write: file . returning (ret = -1).
[2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode_from_sbuf(162)

Root can access to this share.

Ken's group g00600 is not valid.
I chaned smb.conf of the group of valid users,write list, read list to g00500,
and I access to the share with user belonging to g00500,I can access.
Groups From g00600 are invalid. 

Please tell me how to fix this problem.

Comment 1 Yasuhiro Fujii 2006-01-28 12:21:35 UTC

#additional log.smbd (debug level 10)
[2006/01/29 03:18:39, 5] auth/auth_util.c:debug_nt_user_token(457)
NT user token of user S-1-5-21-xxxx-xxxx-xxxx-3000
contains 36 SIDs
SID[ 0]: S-1-5-21-xxxxx-xxxxx-xxxxx-3000
(cut cut)
  SID[ 29]: S-1-5-21-xxxxx-xxxxx-xxxxx-61821
  SID[ 30]: S-1-5-21-xxxxx-xxxxx-xxxxx-61825
  SID[ 31]: S-1-5-21-xxxxx-xxxxx-xxxxx-62001
  SID[ 32]: S-1-5-21-xxxxx-xxxxx-xxxxx-62005
  SID[ 33]: S-1-5-21-xxxxx-xxxxx-xxxxx-62009
  SID[ 34]: S-1-5-21-xxxxx-xxxxx-xxxxx-62013
SE_PRIV 0x0 0x0 0x0 0x0
[2006/01/29 03:18:39, 5] auth/auth_util.c:debug_unix_user_token(473)
UNIX token of user 1000
Primary group is 1000 and contains 32 supplementary groups
Group[ 0]: 1000
(cut cut)
Group[ 31]: 30508

Contains 36 SID,but contains 32 unix groups.
I think getting unix group is broken.
And unix id command has no problem.
ID:Ken belongs to all his groups.
So,smbd can't his all unix groups,his access is invalid I think.
Finally I added new samba user,and I set this account belongs to
36 groups.
And this account has same trouble.
smbd has just 36 SIDs,but 31 unix groups.

Please tell me how to fix to getting to all unix groups.

Comment 2 Volker Lendecke 2006-01-28 12:44:17 UTC

... And you are sure that your Unix kernel can assign more than 32 groups to a user? Many Unixes limit the number of groups a user can be in concurrently to 16 or 32.

Volker

Comment 3 Yasuhiro Fujii 2006-01-28 17:37:54 UTC

Would you tell me how to check the kernel limit?
My OS is x86/32 redhat9.

Well,id command, bash, su has no problem...
samba sharing has problem, but the id belongs to 32 over groups can ssh login,cd the all directory this id is allowed.

Comment 4 Yasuhiro Fujii 2006-01-28 17:58:55 UTC

I checked the samba source.

./include/includes.h

#ifndef NGROUPS_MAX
#define NGROUPS_MAX 32 /* Guess... */
#endif

my problem is for this define?
sysctl -a | grep ngroups_max 
kernel.ngroups_max = 65536

Comment 5 Yasuhiro Fujii 2006-01-29 02:03:09 UTC

sorry.
This is not ture my OS.
This param was the other OS(Linux-2.6).

> sysctl -a | grep ngroups_max 
> kernel.ngroups_max = 65536

linux my linux-2.4 source includes/limits.h
#define NGROUPS_MAX       32    /* supplemental group IDs are available */

I'll try change this param and samba limits.h.
I don't know this is right way but I must go...

Thank you.

Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-04-20 08:03:38 UTC

severity should be determined by the developers and not the reporter.

Comment 7 Björn Jacke 2008-12-17 18:40:13 UTC

you have a too old linux kernel, you need to update the entire system to get
support for more than 32 groups/user