Bug 395 - Failure to init secondary groups (MS SFU, padl nss_ldap & solaris 8)
Failure to init secondary groups (MS SFU, padl nss_ldap & solaris 8)
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.0preX
All Solaris
: P1 major
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks: 1126
  Show dependency treegraph
 
Reported: 2003-09-03 08:33 UTC by Michel GRISANTI
Modified: 2005-11-14 09:27 UTC (History)
1 user (show)

See Also:


Attachments
nss winbind patch for Solaris 8 secondary groups (1001 bytes, patch)
2004-01-08 16:29 UTC, John Klinger
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michel GRISANTI 2003-09-03 08:33:37 UTC
Configuration
Windows 2000 Forest with MSSFU schema (only schema no NIS services)
Solaris 8 server with PADL NSS LDAP and Kerberos authentication

User cannot acces directory if the rights are based on a secondary group
It seems that secondary groups are not found


Here a log 10 level

[2003/09/03 21:42:44, 10] lib/util.c:dump_data(1887)
  [000] 04 00 00 EC 03 00 00 00  00 5C 00 72 00 64 00 69  ........ .\.r.d.i
  [010] 00 73 00 5C 00 53 00 47  00 2D 00 73 00 68 00 61  .s.\.S.G .-.s.h.a
  [020] 00 72 00 65 00 00 00                              .r.e...
[2003/09/03 21:42:44, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 9158)
[2003/09/03 21:42:44, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (702, 702) - sec_ctx_stack_ndx = 0
[2003/09/03 21:42:44, 5] auth/auth_util.c:debug_nt_user_token(491)
  NT user token of user S-1-5-21-3343041157-3844517643-2476834904-2404
  contains 5 SIDs
  SID[  0]: S-1-5-21-3343041157-3844517643-2476834904-2404
  SID[  1]: S-1-5-21-3343041157-3844517643-2476834904-2405
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
[2003/09/03 21:42:44, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 702
  Primary group is 702 and contains 2 supplementary groups
  Group[  0]: 702
  Group[  1]: 702
[2003/09/03 21:42:44, 5] smbd/uid.c:change_to_user(203)
  change_to_user uid=(0,702) gid=(0,702)
[2003/09/03 21:42:44, 4] smbd/vfs.c:vfs_ChDir(611)
  vfs_ChDir to /datacenter/support
[2003/09/03 21:42:44, 3] smbd/trans2.c:call_trans2qfilepathinfo(1901)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2003/09/03 21:42:44, 5] smbd/filename.c:unix_convert(114)
  unix_convert called on file "\rdis\SG-share"
[2003/09/03 21:42:44, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/rdis/SG-share]
[2003/09/03 21:42:44, 5] smbd/statcache.c:stat_cache_add(177)
  stat_cache_add: Added entry RDIS/SG-SHARE -> rdis/SG-share
[2003/09/03 21:42:44, 5] smbd/filename.c:unix_convert(183)
  conversion finished rdis/SG-share -> rdis/SG-share
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1535)
  is_in_path: rdis/SG-share
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1539)
  is_in_path: no name list.
[2003/09/03 21:42:44, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [rdis/SG-share]
[2003/09/03 21:42:44, 3] smbd/trans2.c:call_trans2qfilepathinfo(1929)
  call_trans2qfilepathinfo rdis/SG-share (fnum = -1) level=1004 call=5 
total_data=0
[2003/09/03 21:42:44, 8] smbd/dosmode.c:dos_mode(122)
  dos_mode: rdis/SG-share
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1535)
  is_in_path: rdis/SG-share
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1539)
  is_in_path: no name list.
[2003/09/03 21:42:44, 8] smbd/dosmode.c:dos_mode(168)
  dos_mode returning d
[2003/09/03 21:42:44, 5] smbd/trans2.c:call_trans2qfilepathinfo(2035)
  SMB_QFBI - create: Tue Aug 26 16:54:01 2003
   access: Wed Sep  3 21:41:19 2003
   write: Tue Aug 26 16:54:01 2003
   change: Tue Aug 26 16:54:01 2003
   mode: 10
[2003/09/03 21:42:44, 9] smbd/trans2.c:send_trans2_replies(178)
  t2_rep: params_sent_thistime = 2, data_sent_thistime = 40, useable_space = 
131010
[2003/09/03 21:42:44, 9] smbd/trans2.c:send_trans2_replies(180)
  t2_rep: params_to_send = 2, data_to_send = 40, paramsize = 2, datasize = 40
[2003/09/03 21:42:44, 6] lib/util_sock.c:write_socket(407)
  write_socket(16,104)
[2003/09/03 21:42:44, 6] lib/util_sock.c:write_socket(410)
  write_socket(16,104) wrote 104
[2003/09/03 21:42:44, 10] lib/util_sock.c:read_smb_length_return_keepalive(463)
  got smb length of 114
[2003/09/03 21:42:44, 6] smbd/process.c:process_smb(889)
  got message type 0x0 of len 0x72
[2003/09/03 21:42:44, 3] smbd/process.c:process_smb(890)
  Transaction 4 of length 118
[2003/09/03 21:42:44, 5] lib/util.c:show_msg(456)
[2003/09/03 21:42:44, 5] lib/util.c:show_msg(466)
  size=114
  smb_com=0x32
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51207
  smb_tid=1
  smb_pid=1928
  smb_uid=100
  smb_mid=256
  smt_wct=15
  smb_vwv[ 0]=   46 (0x2E)
  smb_vwv[ 1]=    0 (0x0)
  smb_vwv[ 2]=   10 (0xA)
  smb_vwv[ 3]=16384 (0x4000)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=    0 (0x0)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=   46 (0x2E)
  smb_vwv[10]=   68 (0x44)
  smb_vwv[11]=    0 (0x0)
  smb_vwv[12]=    0 (0x0)
  smb_vwv[13]=    1 (0x1)
  smb_vwv[14]=    1 (0x1)
  smb_bcc=49
[2003/09/03 21:42:44, 10] lib/util.c:dump_data(1887)
  [000] 04 00 00 16 00 56 05 06  00 04 01 00 00 00 00 5C  .....V.. .......\
  [010] 00 72 00 64 00 69 00 73  00 5C 00 53 00 47 00 2D  .r.d.i.s .\.S.G.-
  [020] 00 73 00 68 00 61 00 72  00 65 00 5C 00 2A 00 00  .s.h.a.r .e.\.*..
  [030] 00                                                .
[2003/09/03 21:42:44, 3] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 9158)
[2003/09/03 21:42:44, 4] smbd/uid.c:change_to_user(122)
  change_to_user: Skipping user change - already user
[2003/09/03 21:42:44, 3] smbd/trans2.c:call_trans2findfirst(951)
  call_trans2findfirst: dirtype = 22, maxentries = 1366, close_after_first=0, 
close_if_end = 1 requires_resume_key = 1 level = 260, max_data_bytes = 16384
[2003/09/03 21:42:44, 5] smbd/filename.c:unix_convert(114)
  unix_convert called on file "\rdis\SG-share\*"
[2003/09/03 21:42:44, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/rdis/SG-share/*]
[2003/09/03 21:42:44, 5] smbd/filename.c:unix_convert(188)
  unix_convert begin: name = rdis/SG-share/*, dirpath = rdis/SG-share, start = *
[2003/09/03 21:42:44, 5] smbd/filename.c:unix_convert(323)
  New file *
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1535)
  is_in_path: rdis/SG-share/*
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1539)
  is_in_path: no name list.
[2003/09/03 21:42:44, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [rdis/SG-share/*]
[2003/09/03 21:42:44, 5] smbd/trans2.c:call_trans2findfirst(993)
  dir=rdis/SG-share, mask = *
[2003/09/03 21:42:44, 5] smbd/dir.c:start_dir(334)
  start_dir dir=rdis/SG-share
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1535)
  is_in_path: rdis/SG-share
[2003/09/03 21:42:44, 8] lib/util.c:is_in_path(1539)
  is_in_path: no name list.
[2003/09/03 21:42:44, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [rdis/SG-share]
[2003/09/03 21:42:44, 3] smbd/error.c:error_packet(94)
  error string = Permission denied
[2003/09/03 21:42:44, 3] smbd/error.c:error_packet(113)
  error packet at smbd/trans2.c(1010) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
Comment 1 Gerald (Jerry) Carter 2003-09-04 20:46:08 UTC
Are you a member of the AD domain?  Are you running winbindd?  You 
problem is most likely due to SID<->uid/gid resolution.  Try running 
winbindd and setting "trusted domains only = yes"
Comment 2 Gerald (Jerry) Carter 2003-09-05 06:34:34 UTC
Are you running 'winbind use default domain = yes'?
This is possibley related to bug 406.
Comment 3 Michel GRISANTI 2003-09-05 07:07:31 UTC
It seems to be the same problem than bug 406.
But I do not use winbindd I don' need it because all user informations stored 
in AD are both windows and unix and NSS do the job.

I have try to set winbind use default domain = False but this do not change 
anything.
Comment 4 Gerald (Jerry) Carter 2003-10-07 06:27:48 UTC
what is the actual group membership that I should 
see for the user in the log (group names and gid's)?

I only see

  NT user token of user S-1-5-21-3343041157-3844517643-2476834904-2404
  contains 5 SIDs
  SID[  0]: S-1-5-21-3343041157-3844517643-2476834904-2404
  SID[  1]: S-1-5-21-3343041157-3844517643-2476834904-2405
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11

  UNIX token of user 702
  Primary group is 702 and contains 2 supplementary groups
  Group[  0]: 702
  Group[  1]: 702
Comment 5 Michel GRISANTI 2003-10-07 09:15:41 UTC
user is member of the following groups

mgrisant.sunos023# id -a mgrisant
uid=702(mgrisant) gid=702(gmgrisant) groups=1005(gvmserver),700(rdisadm),2031
(TopemethoA),2010(TrdisA)
Comment 6 Gerald (Jerry) Carter 2003-10-07 09:33:02 UTC
ok.  I still think this is related to bug 406, but 
probably in the opposite fashion.  What I need to finish 
this is a level 10 debug log including the direct 
SMBsesssetup command.

If you set smbd at level 10 and then connect with 
smbclient as the user, that should be enough.
You can mail the log file to me directly instead of
including it here.  

Thanks.
Comment 7 Gerald (Jerry) Carter 2003-11-07 07:26:28 UTC
ok.  Sorry for the delay.  I'm back on this one:

Here's what I see....

  NT user token of user S-1-5-21-57989841-776561741-682003330-1117
  contains 13 SIDs
  SID[  0]: S-1-5-21-57989841-776561741-682003330-1117
  SID[  1]: S-1-5-21-57989841-776561741-682003330-1144
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-57989841-776561741-682003330-512
  SID[  6]: S-1-5-21-57989841-776561741-682003330-7802
  SID[  7]: S-1-5-21-57989841-776561741-682003330-513
  SID[  8]: S-1-5-21-57989841-776561741-682003330-1140
  SID[  9]: S-1-5-21-57989841-776561741-682003330-519
  SID[ 10]: S-1-5-21-57989841-776561741-682003330-1142
  SID[ 11]: S-1-5-21-57989841-776561741-682003330-3838
  SID[ 12]: S-1-5-21-57989841-776561741-682003330-4890

  UNIX token of user 702
  Primary group is 702 and contains 2 supplementary groups
  Group[  0]: 702
  Group[  1]: 702

Group 702 matches:
  local_gid_to_sid: Fall back to algorithmic mapping: 
     702 -> S-1-5-21-3263274372-2597681947-2126427605-2405
  gid_to_sid: local 702 -> S-1-5-21-3263274372-2597681947-2126427605-2405
  fetch sid from gid cache 
     702 -> S-1-5-21-3263274372-2597681947-2126427605-2405

I'm guessing that getgrouplist_internal() is failing.  

Comment 8 Gerald (Jerry) Carter 2003-11-07 07:41:34 UTC
You might want to try the patch for bug 680
that was just checked in.  Just a hunch.
Comment 9 Gerald (Jerry) Carter 2003-11-29 09:52:26 UTC
Does this bug still exist in 3.01.pre3 ?  
You've been very helpful, but I need some 
help moving forward.  Just feedback on the current 
CVS code would be good.  Thanks.
Comment 10 Michel GRISANTI 2003-12-02 01:01:26 UTC
Yes, the bug still exist in Solaris environment with 3.01.pre3.
But i tried on Linux x86, the issue seems to be corrected in this environment.
Comment 11 Gerald (Jerry) Carter 2003-12-02 06:39:40 UTC
Michael,  

Please take a look at this message and see if any of this 
applies to you.  Thanks.

http://marc.theaimsgroup.com/?l=samba-technical&m=107026747906385&w=2
Comment 12 Gerald (Jerry) Carter 2003-12-03 19:58:59 UTC
Just in case the URL for the email mentioned in comment #11 foes bad:

  With patch 112960-03 and below, everything works fine. With patch
  newer than 112960-03, Samba cann't get the supplementary
  group information for a user from directory server.
  Therefore, the user gets access denied when access to
  those files with supplementary group permission.
Comment 13 Gerald (Jerry) Carter 2003-12-03 20:15:28 UTC
Moving this one off the must fix list for 3.0.1 since it appears to be a problem
with a Solaris patch.
Comment 14 Michel GRISANTI 2003-12-03 23:13:01 UTC
I cannot access the url.

The patch 112960 is a solaris 9 patch and not solaris 8.

Comment 15 Gerald (Jerry) Carter 2003-12-04 05:51:31 UTC
strange about the URL.  I just checked it and it is still valid.

wrt to the patch, i'll write some test code today and see if 
we can narrow the problem.  I'll mail it to you directly.
Comment 16 Gerald (Jerry) Carter 2003-12-12 08:27:48 UTC
reseting target milestone.  3.0.1 has been frozen.  WIll have to 
re-evaluate these.
Comment 17 John Klinger 2004-01-08 16:29:33 UTC
Created attachment 355 [details]
nss winbind patch for Solaris 8 secondary groups

The Solaris 8 wrapper wasn't performing the secondary group initialization. The
enclosed patch adds the appropriate code to call the linux initgroups function.
Preliminary tests are successful, but I'm going to be making further tests to
ensure there were no side effects.

If anyone in the samba team already identified issues, causing this code not to
be added, please let me know.
Comment 18 Gerald (Jerry) Carter 2004-01-14 13:15:38 UTC
I'll take the patch but the original bug was a 
problem with nss_ldap (which I think is a solaris
issue).

Michael, is there any update on the original report?
Comment 19 Gerald (Jerry) Carter 2004-01-14 13:44:12 UTC
(I got this mail which seems relevant)

I had the same problem today and wrote this testprogramm.
Samba uses the systemcall getgrouplist (in my case)
try this program

#include <unistd.h>
#include <grp.h>
#include <sys/types.h>
#include <stdlib.h>

int main(void)
{
  int ngroups = 16;
  gid_t *groups = (gid_t *) malloc (ngroups * sizeof (gid_t));
  gid_t secondaries[1024];

  printf("%d\n", getgrouplist("your_user", 0, groups, &ngroups));
}

if the user ist in more than one ldap groups and only one 
is find, than nss_switch.conf is not correct like Jerry 
allready noted 

[root@zweigelt source]# ./a.out
7

You can see it with

[root@zweigelt source]# strace ./a.out

/etc/nsswitch.conf is opend
but then it only opens /lib/libnss_files.so.2 (in my case)
which means it looks for groups only in local files

simply try

  group:       files ldap

and in my case it worked (I had

  group:      files  [UNAVAIL=return] ldap

which works with the system tool like getent and id -a , but not with the
systemcall..)

Greetings

Hansjörg



execve("./a.out", ["./a.out"], [/* 30 vars */]) = 0
uname({sys="Linux", node="zweigelt.itsd.de", ...}) = 0
brk(0)                                  = 0x80495d8
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=80536, ...}) = 0
old_mmap(NULL, 80536, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1531064, ...}) = 0
old_mmap(0x42000000, 1257224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000
old_mmap(0x4212e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x12e000) = 0x4212e000
old_mmap(0x42131000, 7944, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42131000
close(3)                                = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0x40016a00, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
munmap(0x40017000, 80536)               = 0
brk(0)                                  = 0x80495d8
brk(0x804a5d8)                          = 0x804a5d8
brk(0)                                  = 0x804a5d8
brk(0x804b000)                          = 0x804b000
open("/etc/nsswitch.conf", O_RDONLY)    = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1835, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1835
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x40017000, 4096)                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=80536, ...}) = 0
old_mmap(NULL, 80536, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
close(3)                                = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\35\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=52472, ...}) = 0
old_mmap(NULL, 47068, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4002b000
old_mmap(0x40036000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0xa000) = 0x40036000
close(3)                                = 0
munmap(0x40017000, 80536)               = 0
open("/etc/group", O_RDONLY)            = 3





-- 
Dr. Hansjörg Maurer 
Comment 20 Dmitry Monakhov 2004-02-25 02:38:21 UTC
Hi!
I have the same problem with Solaris-9 nss_ldap from PADL.com
and samba-3.0.2a. Supplemantary groups from LDAP are not even reguested from 
LDAP Server according to the LDAP server log file. 
However everything is working
under unix enviroment.

[2004/02/25 12:44:48, 5] auth/auth_util.c:(505)
  UNIX token of user 225
  Primary group is 1 and contains 2 supplementary groups
  Group[  0]: 1
  Group[  1]: 1
[2004/02/25 12:44:48, 3] smbd/sec_ctx.c:(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/02/25 12:44:48, 3] smbd/uid.c:(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/02/25 12:44:48, 3] smbd/sec_ctx.c:(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/25 12:44:48, 5] auth/auth_util.c:(486)

id -a ssi
uid=225(ssi) gid=1(other) groups=112(support),1000(users)


Comment 21 Gerald (Jerry) Carter 2004-03-01 09:32:03 UTC
Everything in this bug report points to a Solaris  problem.  Trying 
to clear out old bugs.
Comment 22 Gerald (Jerry) Carter 2005-02-07 09:06:00 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 23 Gerald (Jerry) Carter 2005-11-14 09:27:27 UTC
database cleanup