Bug 3460 - failed to match on user or group in token with LDAP
Summary: failed to match on user or group in token with LDAP
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.20b
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-01-28 10:06 UTC by Yasuhiro Fujii
Modified: 2008-12-17 18:40 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Fujii 2006-01-28 10:06:42 UTC
I setup samba3.0.20b (PDC) with openldap.
I created many samba and posix groups.
And many users can't to connect shares.

samba(and posix) groups are

posix gid from 30100 (cn is g30100) to 40100 (cn is g40100) mapping to samba SID from S-1-5-21-148211337-xxxxx-xxxxxxx-61201 to S-1-5-21-148211337-xxxxxx-xxxxxx-81205
(x is number but I want to hide for security reason.)

Users belong to posix gid 30100 to 30599 has no problem.
But posix gid from 30600 to 40100 is invalid.

User ken belongs to posix and samba groups from 30100 to 40100.
(He belongs to all groups.) 
And I check Ken's groups.

net user INFO ken
Domain Users         
(cut cut)

Just end.
I don't know the reason why ken should be blonged from g00600 to g04100.
I can't get normal group list.
And I checked groups.

net rpc group
Domain Admins
Domain Users
Domain Guests
Domain Computers
(cut cut)

I can get all groups list.
Finally I checked g00600 members.

net rpc group MEMBERS g00600

I can get normal g00600 members using net rpc command
I can't use smb.conf below.
ken can't connect to this share for access error.
smbd can't get g00600 information,too.

path = /test/
browseable = No
read only = No
valid users = @g00600,root
write list = @g00600
read list = g00601
create mask = 664
directory mask = 775

[2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode(294)
  dos_mode: .
[2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4069)
  check_posix_acl_group_write: file . failed to match on user or group in token (ret = -1).
[2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4078)
  check_posix_acl_group_write: file . returning (ret = -1).
[2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode_from_sbuf(162)

Root can access to this share.

Ken's group g00600 is not valid.
I chaned smb.conf of the group of valid users,write list, read list to g00500,
and I access to the share with user belonging to g00500,I can access.
Groups From g00600 are invalid. 

Please tell me how to fix this problem.
Comment 1 Yasuhiro Fujii 2006-01-28 12:21:35 UTC
#additional log.smbd (debug level 10)
[2006/01/29 03:18:39, 5] auth/auth_util.c:debug_nt_user_token(457)
NT user token of user S-1-5-21-xxxx-xxxx-xxxx-3000
contains 36 SIDs
SID[ 0]: S-1-5-21-xxxxx-xxxxx-xxxxx-3000
(cut cut)
  SID[ 29]: S-1-5-21-xxxxx-xxxxx-xxxxx-61821
  SID[ 30]: S-1-5-21-xxxxx-xxxxx-xxxxx-61825
  SID[ 31]: S-1-5-21-xxxxx-xxxxx-xxxxx-62001
  SID[ 32]: S-1-5-21-xxxxx-xxxxx-xxxxx-62005
  SID[ 33]: S-1-5-21-xxxxx-xxxxx-xxxxx-62009
  SID[ 34]: S-1-5-21-xxxxx-xxxxx-xxxxx-62013
SE_PRIV 0x0 0x0 0x0 0x0
[2006/01/29 03:18:39, 5] auth/auth_util.c:debug_unix_user_token(473)
UNIX token of user 1000
Primary group is 1000 and contains 32 supplementary groups
Group[ 0]: 1000
(cut cut)
Group[ 31]: 30508

Contains 36 SID,but contains 32 unix groups.
I think getting unix group is broken.
And unix id command has no problem.
ID:Ken belongs to all his groups.
So,smbd can't his all unix groups,his access is invalid I think.
Finally I added new samba user,and I set this account belongs to
36 groups.
And this account has same trouble.
smbd has just 36 SIDs,but 31 unix groups.

Please tell me how to fix to getting to all unix groups.
Comment 2 Volker Lendecke 2006-01-28 12:44:17 UTC
... And you are sure that your Unix kernel can assign more than 32 groups to a user? Many Unixes limit the number of groups a user can be in concurrently to 16 or 32.

Comment 3 Yasuhiro Fujii 2006-01-28 17:37:54 UTC
Would you tell me how to check the kernel limit?
My OS is x86/32 redhat9.

Well,id command, bash, su has no problem...
samba sharing has problem, but the id belongs to 32 over groups can ssh login,cd the all directory this id is allowed.
Comment 4 Yasuhiro Fujii 2006-01-28 17:58:55 UTC
I checked the samba source.


#define NGROUPS_MAX 32 /* Guess... */

my problem is for this define?
sysctl -a | grep ngroups_max 
kernel.ngroups_max = 65536
Comment 5 Yasuhiro Fujii 2006-01-29 02:03:09 UTC
This is not ture my OS.
This param was the other OS(Linux-2.6).

> sysctl -a | grep ngroups_max 
> kernel.ngroups_max = 65536

linux my linux-2.4 source includes/limits.h
#define NGROUPS_MAX       32    /* supplemental group IDs are available */

I'll try change this param and samba limits.h.
I don't know this is right way but I must go...

Thank you.
Comment 6 Gerald (Jerry) Carter 2006-04-20 08:03:38 UTC
severity should be determined by the developers and not the reporter.
Comment 7 Björn Jacke 2008-12-17 18:40:13 UTC
you have a too old linux kernel, you need to update the entire system to get
support for more than 32 groups/user