I setup samba3.0.20b (PDC) with openldap. I created many samba and posix groups. And many users can't to connect shares. samba(and posix) groups are posix gid from 30100 (cn is g30100) to 40100 (cn is g40100) mapping to samba SID from S-1-5-21-148211337-xxxxx-xxxxxxx-61201 to S-1-5-21-148211337-xxxxxx-xxxxxx-81205 (x is number but I want to hide for security reason.) Users belong to posix gid 30100 to 30599 has no problem. But posix gid from 30600 to 40100 is invalid. User ken belongs to posix and samba groups from 30100 to 40100. (He belongs to all groups.) And I check Ken's groups. net user INFO ken Domain Users g00100 g00101 g00103 g00106 g00108 (cut cut) g00506 g00508 Just end. I don't know the reason why ken should be blonged from g00600 to g04100. I can't get normal group list. And I checked groups. net rpc group Password: Domain Admins Domain Users Domain Guests Domain Computers g00100 g00101 g00102 g00103 (cut cut) g40100 I can get all groups list. Finally I checked g00600 members. net rpc group MEMBERS g00600 TEST-DOM\ken I can get normal g00600 members using net rpc command I can't use smb.conf below. ken can't connect to this share for access error. smbd can't get g00600 information,too. [test-share] path = /test/ browseable = No read only = No valid users = @g00600,root write list = @g00600 read list = g00601 create mask = 664 directory mask = 775 #log.smbd [2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode(294) dos_mode: . [2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4069) check_posix_acl_group_write: file . failed to match on user or group in token (ret = -1). [2006/01/29 01:56:42, 10] smbd/posix_acls.c:check_posix_acl_group_write(4078) check_posix_acl_group_write: file . returning (ret = -1). [2006/01/29 01:56:42, 8] smbd/dosmode.c:dos_mode_from_sbuf(162) Root can access to this share. Ken's group g00600 is not valid. I chaned smb.conf of the group of valid users,write list, read list to g00500, and I access to the share with user belonging to g00500,I can access. Groups From g00600 are invalid. Please tell me how to fix this problem.
#additional log.smbd (debug level 10) [2006/01/29 03:18:39, 5] auth/auth_util.c:debug_nt_user_token(457) NT user token of user S-1-5-21-xxxx-xxxx-xxxx-3000 contains 36 SIDs SID[ 0]: S-1-5-21-xxxxx-xxxxx-xxxxx-3000 (cut cut) SID[ 29]: S-1-5-21-xxxxx-xxxxx-xxxxx-61821 SID[ 30]: S-1-5-21-xxxxx-xxxxx-xxxxx-61825 SID[ 31]: S-1-5-21-xxxxx-xxxxx-xxxxx-62001 SID[ 32]: S-1-5-21-xxxxx-xxxxx-xxxxx-62005 SID[ 33]: S-1-5-21-xxxxx-xxxxx-xxxxx-62009 SID[ 34]: S-1-5-21-xxxxx-xxxxx-xxxxx-62013 SE_PRIV 0x0 0x0 0x0 0x0 [2006/01/29 03:18:39, 5] auth/auth_util.c:debug_unix_user_token(473) UNIX token of user 1000 Primary group is 1000 and contains 32 supplementary groups Group[ 0]: 1000 (cut cut) Group[ 31]: 30508 Contains 36 SID,but contains 32 unix groups. I think getting unix group is broken. And unix id command has no problem. ID:Ken belongs to all his groups. So,smbd can't his all unix groups,his access is invalid I think. Finally I added new samba user,and I set this account belongs to 36 groups. And this account has same trouble. smbd has just 36 SIDs,but 31 unix groups. Please tell me how to fix to getting to all unix groups.
... And you are sure that your Unix kernel can assign more than 32 groups to a user? Many Unixes limit the number of groups a user can be in concurrently to 16 or 32. Volker
Would you tell me how to check the kernel limit? My OS is x86/32 redhat9. Well,id command, bash, su has no problem... samba sharing has problem, but the id belongs to 32 over groups can ssh login,cd the all directory this id is allowed.
I checked the samba source. ./include/includes.h #ifndef NGROUPS_MAX #define NGROUPS_MAX 32 /* Guess... */ #endif my problem is for this define? sysctl -a | grep ngroups_max kernel.ngroups_max = 65536
sorry. This is not ture my OS. This param was the other OS(Linux-2.6). > sysctl -a | grep ngroups_max > kernel.ngroups_max = 65536 linux my linux-2.4 source includes/limits.h #define NGROUPS_MAX 32 /* supplemental group IDs are available */ I'll try change this param and samba limits.h. I don't know this is right way but I must go... Thank you.
severity should be determined by the developers and not the reporter.
you have a too old linux kernel, you need to update the entire system to get support for more than 32 groups/user