The Samba-Bugzilla – Bug 3460
failed to match on user or group in token with LDAP
Last modified: 2008-12-17 18:40:13 UTC
I setup samba3.0.20b (PDC) with openldap.
I created many samba and posix groups.
And many users can't to connect shares.
samba(and posix) groups are
posix gid from 30100 (cn is g30100) to 40100 (cn is g40100) mapping to samba SID from S-1-5-21-148211337-xxxxx-xxxxxxx-61201 to S-1-5-21-148211337-xxxxxx-xxxxxx-81205
(x is number but I want to hide for security reason.)
Users belong to posix gid 30100 to 30599 has no problem.
But posix gid from 30600 to 40100 is invalid.
User ken belongs to posix and samba groups from 30100 to 40100.
(He belongs to all groups.)
And I check Ken's groups.
net user INFO ken
I don't know the reason why ken should be blonged from g00600 to g04100.
I can't get normal group list.
And I checked groups.
net rpc group
I can get all groups list.
Finally I checked g00600 members.
net rpc group MEMBERS g00600
I can get normal g00600 members using net rpc command
I can't use smb.conf below.
ken can't connect to this share for access error.
smbd can't get g00600 information,too.
path = /test/
browseable = No
read only = No
valid users = @g00600,root
write list = @g00600
read list = g00601
create mask = 664
directory mask = 775
[2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode(294)
[2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4069)
check_posix_acl_group_write: file . failed to match on user or group in token (ret = -1).
[2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4078)
check_posix_acl_group_write: file . returning (ret = -1).
[2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode_from_sbuf(162)
Root can access to this share.
Ken's group g00600 is not valid.
I chaned smb.conf of the group of valid users,write list, read list to g00500,
and I access to the share with user belonging to g00500,I can access.
Groups From g00600 are invalid.
Please tell me how to fix this problem.
#additional log.smbd (debug level 10)
[2006/01/29 03:18:39, 5] auth/auth_util.c:debug_nt_user_token(457)
NT user token of user S-1-5-21-xxxx-xxxx-xxxx-3000
contains 36 SIDs
SID[ 0]: S-1-5-21-xxxxx-xxxxx-xxxxx-3000
SID[ 29]: S-1-5-21-xxxxx-xxxxx-xxxxx-61821
SID[ 30]: S-1-5-21-xxxxx-xxxxx-xxxxx-61825
SID[ 31]: S-1-5-21-xxxxx-xxxxx-xxxxx-62001
SID[ 32]: S-1-5-21-xxxxx-xxxxx-xxxxx-62005
SID[ 33]: S-1-5-21-xxxxx-xxxxx-xxxxx-62009
SID[ 34]: S-1-5-21-xxxxx-xxxxx-xxxxx-62013
SE_PRIV 0x0 0x0 0x0 0x0
[2006/01/29 03:18:39, 5] auth/auth_util.c:debug_unix_user_token(473)
UNIX token of user 1000
Primary group is 1000 and contains 32 supplementary groups
Group[ 0]: 1000
Group[ 31]: 30508
Contains 36 SID,but contains 32 unix groups.
I think getting unix group is broken.
And unix id command has no problem.
ID:Ken belongs to all his groups.
So,smbd can't his all unix groups,his access is invalid I think.
Finally I added new samba user,and I set this account belongs to
And this account has same trouble.
smbd has just 36 SIDs,but 31 unix groups.
Please tell me how to fix to getting to all unix groups.
... And you are sure that your Unix kernel can assign more than 32 groups to a user? Many Unixes limit the number of groups a user can be in concurrently to 16 or 32.
Would you tell me how to check the kernel limit?
My OS is x86/32 redhat9.
Well,id command, bash, su has no problem...
samba sharing has problem, but the id belongs to 32 over groups can ssh login,cd the all directory this id is allowed.
I checked the samba source.
#define NGROUPS_MAX 32 /* Guess... */
my problem is for this define?
sysctl -a | grep ngroups_max
kernel.ngroups_max = 65536
This is not ture my OS.
This param was the other OS(Linux-2.6).
> sysctl -a | grep ngroups_max
> kernel.ngroups_max = 65536
linux my linux-2.4 source includes/limits.h
#define NGROUPS_MAX 32 /* supplemental group IDs are available */
I'll try change this param and samba limits.h.
I don't know this is right way but I must go...
severity should be determined by the developers and not the reporter.
you have a too old linux kernel, you need to update the entire system to get
support for more than 32 groups/user