There is FreeBSD-6.1 box with gcc 3.4.4 compiler (the default). The box is a member of an ADS domain. Everything was working perfectly with samba-3.0.22. After upgrading it to samba-3.0.23_1 (and 3.0.23a) from FreeBSD ports collection, the following problem appeared. The system does not seem to recognize that a user is a member of some domain group, and does not grant him appropriate permissions. For example, there is a directory test #ls -al /tmp drwxrwx--- 2 bill DOMAINNAME/algocod 512 Jul 24 14:16 test #ls -anl /tmp drwxrwx--- 2 20004 20014 512 Jul 24 14:16 test There is a user jim who is a member of DOMAINNAME/algocode #wbinfo -n jim S-1-5-21-2532163386-3195846559-1994112731-1107 # wbinfo --user-domgroups S-1-5-21-2532163386-3195846559-1994112731-1107 S-1-5-21-2532163386-3195846559-1994112731-1107 S-1-5-21-2532163386-3195846559-1994112731-1144 S-1-5-21-2532163386-3195846559-1994112731-513 # wbinfo -s S-1-5-21-2532163386-3195846559-1994112731-1144 DOMAINNAME/AlgoCode 2 # wbinfo -r jim 20014 20001 20023 User jim should be able to read from test, and this was the case with samba-3.0.22 But now (with samba-3.0.23_1) it does not work: jim$ ls /tmp/test/ ls: : Permission denied However, jim is able to read from a directory which is owned by him. log.winbindd contains a lot of messages like [2006/07/24 15:12:19, 0] nsswitch/winbindd.c:request_len_recv(517) request_len_recv: Invalid request size received: 1836 sizeof(winbindd_request) appears to be equal to 1840. On the other hand, pam_winbind seems to work perfectly. The version of nss library seems to be the same as the one of winbindd. # ls -al /usr/local/lib/nss* -r-xr-xr-x 1 root wheel 16664 Jul 24 13:39 /usr/local/lib/nss_winbind.so.1 -r-xr-xr-x 1 root wheel 748308 Jul 24 13:39 /usr/local/lib/nss_wins.so.1 # ls -al /usr/local/sbin/winb* -rwxr-xr-x 1 root wheel 2129111 Jul 24 13:39 /usr/local/sbin/winbindd My nsswitch.conf file looks as follows: group: files winbind #compat group_compat: nis hosts: files dns networks: files passwd: files winbind #compat passwd_compat: nis shells: files
Peter, There were several token hanlding bugs fixed in 3.0.23b. Could you give that release a try please. If things still break, please post the output from `id` while logged on as user "jim". Thanks.
It still does not work with 3.0.23b. It looks like that domain group membership is not detected. jim$ id uid=20001(jim) gid=20001(Domain Users) groups=20001(Domain Users) #wbinfo -r jim 20014 20001 20023 Accidently, uid and gid are the same for this user. But the problem is experienced by all domain users.
i experienced a similar behavior on samba-3.0.23a-1 on debian sarge from http://de.samba.org/samba/ftp/Binary_Packages/Debian sarge samba as a member of a win2k3 pdc domain. (user LUEBKE was created in capital letters on the pdc) # wbinfo -r LUEBKE 10513 13546 # wbinfo -r luebke 10513 13546 # id luebke uid=11982(luebke) gid=10513(domainusers) groups=10513(domainusers) # id LUEBKE uid=11982(luebke) gid=10513(domainusers) groups=10513(domainusers),13546(mailusers)
I experience the same problem as Peter described. OS: FreeBSD 5.2 with Samba 3.0.23c Winbind's logfile contains a lot of the following messages: [2006/09/20 09:15:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(829) could not lookup domain group CERTSVC_DCOM_ACCESS [2006/09/20 09:15:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(106) could not lookup membership for group rid S-1-5-21-1220945662-436374069-1202660629-5193 in domain DOMAIN (error: NT_STATUS_NO_SUCH_GROUP) [2006/09/20 09:15:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(829) could not lookup domain group TelnetClients
Hello, I'm also getting the same problem with 3.0.23b and 3.0.23c. OS is GNU/Linux with kernel 2.4.32. Setup of domains is as follows: NT4 domain trusts an AD domain Samba servers are members of the NT4 domain Aside from the inconsistencies between wbinfo and id, there are also discrepancies between wbinfo and the AD domain. When a user is added to a new group in the AD, wbinfo lists that user in a different group. Even after sending SIGHUP to winbindd, it stays incorrect. After some time though, it eventually corrects itself. But before it does, there's an amount of time where the user will be in the correct group, but still be a member of the incorrect one. Thanks, Franz
Hi, I seem to be hitting this as well. I'm running 3.0.23c on a Sparc Solaris 8 platform. I have winbindd running (no PAM) and I am acting as a member server of our domain. Both wbinfo -u and -g produce a list of Windows users and groups. getent passwd has the full combined list of Unix and Windows accounts, however, getent group shows the Unix groups and ONLY the Domain Admins Windows group. Here is the relevant section of my smb.conf file: [global] log file = /usr/local/samba/var/log.%m netbios name = groucho1 guest account = iusersbli server string = Test Production Server workgroup = SBLI idmap uid = 15000-20000 idmap gid = 15000-20000 winbind enum users = yes winbind enum groups = yes debug level = 3 os level = 1 username map = /usr/local/samba/lib/user.map security = DOMAIN disable spoolss = yes show add printer wizard = no Todd
Just a follow up on this bug. The case of the domain name affects the results of id. When I use all small letters, it is incomplete. However, when I use the name as used in the windows domain, ie all caps, id gives the correct and complete results.
Franz, this is not the case on my system. For me both id DOMAIN/jim and id domain/jim report jim to be a member of "Domain Users" group only. However, I am using "winbind use default domain = Yes"
Hi, I think ive got another instance of this bug: I'm running 3.0.23c on a Sun Solaris 10 platform (kernel 5.10). I have winbindd running (no PAM) and I am acting as a member server of our win2k3 domain. Both wbinfo -u and -g produce a list of the Windows users and groups. getent passwd has the full combined list of Unix and Windows accounts, however, getent group shows the Unix groups and the Windows Domain groups. I mounted the share on my Windows-Xp machine. The user on the WinXP machine is in the Group "MyDomain\group_alpha". all good. I can access an create folders ..... Then I created on my Solaris-machine in my Samba-Share-folder "all" 2 Subfolders. Folders: Permissions Owner Acl 1. "folderA" with rwxrwx--- root root group: group_beta:rwx 2. "folderB" with rwxrwx--- root root group: group_gama:rwx after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folderA" the group "group_beta" to the first folder. The Same i did with the folder "folderB", i added the group "group_gama" (rwx). Now at the windows machine, my user "winuser" mounted the Samba Share. So, "winuser" is a member of the valid share-user-group "group_alpha", all AD-users are members of this group. On the two other folders in the share i added permissions for two other groups.So,the "winuser" should have rights to read,write,execute to the "folderA", because "winuser" is a also a member of "group_beta" but he dont have permissions for "folderB". My Problem is now that i can not enter "folderA" and "folderB"! (windows-prompt : i dont have permissions for this..) The same scenario with adding acl-"users" directly without acl-"group" is working. So i think that samba ignores my supplementary groups for acl!!! I tested a lot and I found out that Samba 3.0.2.3c only give access to users for subfolders in shares which have acl-permissions for groups which are the primary group of the entering winuser. So, Samba ignores the secodary-groups! Here is the relevant section of my smb.conf file: [global] display charset = UTF-8 workgroup = NTBV realm = XXX.TEST.DE interfaces = 172.16.203.144 security = ADS client schannel = No password server = pwserver.xxx.de client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 2 log file = /usr/local/samba/var/log.%m ldap ssl = no idmap uid = 5000-100000000 idmap gid = 5000-100000000 template homedir = /usr/local/samba/%D/%U template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes [all] comment = Testverzeichnis path = /export/home/all valid users = @domain+group_office admin users = domain+admin read only = No By running the commands "#id winuser" and "#wbinfo -r winuser" I got the following output: bash-3.00# id NTBV+winuser uid=5000(NTBV+winuser) gid=5006(NTBV+DOMAINUSERS) bash-3.00# /usr/local/samba/bin/wbinfo -r NTBV+winuser 5001 5002 5003 5004 5006 5007 5008 And here is my groupmapping (#net groumap list): #Administrators (S-1-5-32-544) -> DOMAIN+alle #root (S-1-5-21-3454502962-1315390950-1018511800-1001) -> root #Users (S-1-5-32-545) -> BUILTIN+users I hope this will be bux fixed. :)
Im using samba 3.0.23c from debian backports and I finding some problems, this host has worked flawlessly since a a few months ago. But now stopped to work properly. My versions are: ii winbind 3.0.23c-1~bpo.1 service to resolve user and group information from Windows N ii samba 3.0.23c-1~bpo.1 a LanManager-like file and printer server for Unix ii samba-common 3.0.23c-1~bpo.1 Samba common files used by both the server and the client My confs are the following /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind [NOTFOUND=return] db group: compat winbind [NOTFOUND=return] db shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis [global] workgroup = IBEU realm = IBEU.ORG.BR server string = Servidor de arquivos central security = ADS password server = ibeu_nt2 ibeu_nt 10.1.1.238 10.1.1.231 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . username map = /etc/samba/users.map username level = 8 log level = 4 #vfs:2 syslog = 0 syslog only = 0 log file = /var/log/samba/log.%m.%U max log size = 0 socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u logon script = scripts\startup.bat logon path = \\%L\profiles\%u\%m logon drive = F: logon home = \\%L\%u\.win_profile\%m os level = 6 preferred master = No local master = No domain master = No wins server = 10.1.1.238 remote announce = 10.1.1.255/IBEU remote browse sync = 10.1.1.255 panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 template homedir = /dados/home/%U template shell = /dev/null winbind separator = / winbind use default domain = Yes # recycle:maxsize = 10240000 # recycle:touch = no # recycle:keeptree = yes # recycle:repository = /dados/lixeira invalid users = root printer admin = @admins acl group control = Yes inherit permissions = Yes inherit acls = Yes printing = cups print command = lpq command = %p lprm command = # vfs objects = recycle #extd_audit [homes] comment = Home Directories read only = No create mask = 0700 directory mask = 0700 browseable = No [profiles] path = /dados/profiles read only = No create mask = 0600 directory mask = 070 [IPC$] path = /tmp read only = No guest ok = Yes [printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers write list = root, @admins behind this only user shares (I have commented out somethings because im trying to find out where is the problem) Samba and winbind is running (ps aux show them) Users can connect on shares etc.. Here is some command output zaphod:/etc/samba# wbinfo -p Ping to winbindd succeeded on fd 4 zaphod:/etc/samba# wbinfo -u full user list . . . . zaphod:/etc/samba# wbinfo -g full group list... BUT! zaphod:/etc/samba# getent passwd just show /etc/passwd users zaphod:/etc/samba# getent group just show /etc/group users Weirdest thing!! zaphod:/etc/samba# getent passwd igormorgado igormorgado:*:10000:10000:Igor Morgado:/dados/home/igormorgado:/dev/null zaphod:/etc/samba# getent group admins admins:x:10003:servicos,vhogemann,igormorgado,lidia,diogo,nelson,admin,ramos,eliane,JEANNE,Administrador Retrieve winbind data!! Even more weirdest! zaphod:/etc/samba# id igormorgado uid=10000(igormorgado) gid=10000(Domain Users) grupos=10000(Domain Users) it list only the my primary group not all groups but as you could notice i'm on admins group too. More data: zaphod:/etc/samba# nss_updatedb winbind Failed to enumerate nameservice: Success passwd... nameservice unavailable. I have tried to remove winbind cache file (as ||cw told me on irc channel) but didn't helped. There is no pam configuration about winbind this is because I didn't need unix authenticating on winbind or anything like. (just users on samba) I have other host with same configuration but using this versions: ii winbind 3.0.14a-3sarge1 service to resolve user and group information from Windows N ii samba 3.0.14a-3sarge1 a LanManager-like file and printer server for Unix ii samba-common 3.0.14a-3sarge1 Samba common files used by both the server and the client But i need some options in samba 3.0.22 (as acl group control and inherit). I have the same config running on 3.0.14 flawlessly
I have downgraded to 3.0.22 and everything is normail .. (withou change any configuration)
The parameter "winbind enum groups" (WEG) seems to affect this problem. 1. wbinfo -r shows spurious GID (both with WEG=yes and WEG=no) which does not resolve to a SID 2. id shows all groups with WEG=yes and only "Domain Users" with WEG=no 3. If WEG=yes, the user can access a directory of his group, but with WEG=no this is not possible.
(In reply to comment #10) > Im using samba 3.0.23c from debian backports and I finding some problems, this > host has worked flawlessly since a a few months ago. But now stopped to work > properly. > > My versions are: > ii winbind 3.0.23c-1~bpo.1 service to resolve user and > group information from Windows N > ii samba 3.0.23c-1~bpo.1 a LanManager-like file and > printer server for Unix > ii samba-common 3.0.23c-1~bpo.1 Samba common files used by > both the server and the client > > > My confs are the following > > /etc/nsswitch.conf > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind [NOTFOUND=return] db > group: compat winbind [NOTFOUND=return] db > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > [global] > workgroup = IBEU > realm = IBEU.ORG.BR > server string = Servidor de arquivos central > security = ADS > password server = ibeu_nt2 ibeu_nt 10.1.1.238 10.1.1.231 > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > username map = /etc/samba/users.map > username level = 8 > log level = 4 > #vfs:2 > syslog = 0 > syslog only = 0 > log file = /var/log/samba/log.%m.%U > max log size = 0 > socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > printcap name = cups > add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false > -M %u > logon script = scripts\startup.bat > logon path = \\%L\profiles\%u\%m > logon drive = F: > logon home = \\%L\%u\.win_profile\%m > os level = 6 > preferred master = No > local master = No > domain master = No > wins server = 10.1.1.238 > remote announce = 10.1.1.255/IBEU > remote browse sync = 10.1.1.255 > panic action = /usr/share/samba/panic-action %d > idmap uid = 10000-20000 > template homedir = /dados/home/%U > template shell = /dev/null > winbind separator = / > winbind use default domain = Yes > # recycle:maxsize = 10240000 > # recycle:touch = no > # recycle:keeptree = yes > # recycle:repository = /dados/lixeira > invalid users = root > printer admin = @admins > acl group control = Yes > inherit permissions = Yes > inherit acls = Yes > printing = cups > print command = > lpq command = %p > lprm command = > # vfs objects = recycle > #extd_audit > [homes] > comment = Home Directories > read only = No > create mask = 0700 > directory mask = 0700 > browseable = No > > [profiles] > path = /dados/profiles > read only = No > create mask = 0600 > directory mask = 070 > > [IPC$] > path = /tmp > read only = No > guest ok = Yes > > [printers] > comment = All Printers > path = /tmp > create mask = 0700 > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > write list = root, @admins > > > behind this only user shares (I have commented out somethings because im trying > to find out where is the problem) > > Samba and winbind is running (ps aux show them) > > Users can connect on shares etc.. > > Here is some command output > zaphod:/etc/samba# wbinfo -p > Ping to winbindd succeeded on fd 4 > zaphod:/etc/samba# wbinfo -u > full user list . . . . > zaphod:/etc/samba# wbinfo -g > full group list... > > BUT! > > zaphod:/etc/samba# getent passwd > just show /etc/passwd users > > zaphod:/etc/samba# getent group > just show /etc/group users > > Weirdest thing!! > > zaphod:/etc/samba# getent passwd igormorgado > igormorgado:*:10000:10000:Igor Morgado:/dados/home/igormorgado:/dev/null > > zaphod:/etc/samba# getent group admins > admins:x:10003:servicos,vhogemann,igormorgado,lidia,diogo,nelson,admin,ramos,eliane,JEANNE,Administrador > > Retrieve winbind data!! > > Even more weirdest! > > zaphod:/etc/samba# id igormorgado > uid=10000(igormorgado) gid=10000(Domain Users) grupos=10000(Domain Users) > > it list only the my primary group not all groups but as you could notice i'm on > admins group too. > > > More data: > zaphod:/etc/samba# nss_updatedb winbind > Failed to enumerate nameservice: Success > passwd... nameservice unavailable. > > I have tried to remove winbind cache file (as ||cw told me on irc channel) but > didn't helped. > > There is no pam configuration about winbind this is because I didn't need unix > authenticating on winbind or anything like. (just users on samba) > > I have other host with same configuration but using this versions: > ii winbind 3.0.14a-3sarge1 service to resolve user and > group information from Windows N > ii samba 3.0.14a-3sarge1 a LanManager-like file and > printer server for Unix > ii samba-common 3.0.14a-3sarge1 Samba common files used by > both the server and the client > > > But i need some options in samba 3.0.22 (as acl group control and inherit). > > I have the same config running on 3.0.14 flawlessly > Exactly the same bug in fedora core 5 with samba-common-3.0.23c-1.fc5 samba-3.0.23c-1.fc5 Impossible to make getent display passwd or group but if i take some group or user alone it's ok but not for all. getent group solva solva:*:10002:milergJ,ezarPA getent passwd ouchi ouchi:*:10000:10000:Bouchindhomme Herve:/home/ouchi:/bin/bash BUT getent group or getent passwd give only local user and groupe AND getent group DSO return nothing I couldn't find common point between group who could'nt be retrieve by getent.
(In reply to comment #13) > getent group solva > solva:*:10002:milergJ,ezarPA > getent passwd ouchi > ouchi:*:10000:10000:Bouchindhomme Herve:/home/ouchi:/bin/bash > > BUT getent group or getent passwd give only local user and groupe This is expected and was documented in the release notes. By default, winbind will no longer enumerate groups and users. See smb.conf(5).
some additional observations on the case and group depedency of the usernames. system: * debian sarge using winbind (3.0.23c, .deb from samba.org) joint on AD win2k3 sp2 domain with "security = ADS" and "winbind nested groups = yes, winbind enum users = yes, winbind enum groups = yes" groups "global_primary", "global1" and "global2" are all created as global groups on the Windows host. group "global2" is a member of "global1" in AD. groups "local1" and "local2" are both created as 'local groups' inside the AD on the Windows host. group "local2" is a member of "local1". user "bei" was created on the windows pdc (all lowercase) with primary group "global_primary" user "bei" is member of two groups: "local2" and "global2" (and the primary group "global_primary") the following is observed: bei@sambatest:/$ id bEi uid=13585(bei) gid=17643(global_primary) groups=17643(global_primary) bei@sambatest:/$ id bei uid=13585(bei) gid=17643(global_primary) groups=17643(global_primary),17637(global2),17640(lokal2) bei@sambatest:/$ id uid=13585(bei) gid=17643(global_primary) groups=17636(global1),17637(global2),17640(lokal2),17643(global_primary) bei@sambatest:/$ wbinfo -r bei 17637 17643 17636 17640 you may notice, that nested groups are completely ignored for "local groups". ("local1" does not occur anywhere)
We also have this occurence after tbe implementation of 3.0.23d The problem is erratic and is causing false account lockouts as the error generates wrong password error. *************** init_sam_from_ldap: Entry found for user: jack [2006/11/21 12:41:10, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) init_group_from_ldap: Entry found for group: 3207 [2006/11/21 12:41:10, 0] lib/smbldap.c:smbldap_open(1009) smbldap_open: cannot access LDAP when not root.. [2006/11/21 12:41:10, 0] lib/smbldap.c:smbldap_open(1009) smbldap_open: cannot access LDAP when not root.. [2006/11/21 12:41:10, 0] passdb/passdb.c:pdb_update_bad_password_count(1378) pdb_update_bad_password_count: pdb_get_account_policy failed. [2006/11/21 12:41:10, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) init_ldap_from_sam: Setting entry for user: jack [2006/11/21 12:41:10, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [jack] -> [jack] FAILED with error NT_STATUS_WRONG_PASSWORD ***************
Hi! I recently implemented code to get the flat list of an AD user's group memberships in a trusted multi forrest environment. The process is really not performace-friendly... Maybe it helps: 1. get the primary group from primaryGroupID property 2. get groups where the user is member directly from memberOf property 3. repeat step 2 on each object which was returned in memberOf; these are group objects which can be members of other groups... this is what is missing from winbind I think! 4. check between ForeignSecurityPrincipals on each root DN for objectSids of groups collected before, if anything found step 3 should be executed on that AD; there can be nested memberships too... this maybe missing to... I dont know how win does this... the tokenGroups property or win32 call doesnt reports all these memberships too. I think this is much more than what is the "nested groups" stands for. The reason of its need is simple: I would like to say "valid users = +MYDOMAIN\share_blabla_users" in smb.conf and after that assign individual users OR OTHER GROUPS to share_blabla_users AD group via MS ADUC and see that a user who is not directly but through some other group is member of share_blabla_users can access that share! (like on any win member servers functioning) How can I help You to accomplish this?
Has this been fixed in 3.0.23d? Release notes don't seem to specify. id (and samba) fail to report/see any *supplementary* groups for the user if the username's case doesn't *exactly* match the case as defined on the PDC., but wbinfo -u, -g, getent passwd, group correctly list all users and groups. If user is defined only on the PDC as 'Henry', then 'id Henry' reports all initial, and supplementary groups, but 'id henry' only reports the one initial group. Samba seems to be doing the same thing as id and using 'henry' and doesn't see any supplementary groups resulting in total mayhem. Doesn't this basically break all domain member servers assuming many MS PDC's are configured with mixed case usernames?
Nothing happens. Please tell how can we help You to solve this bug!
Timur, I've added you to the CC list. Can you confirm this bug on FreeBSD? Thanks.
(In reply to comment #18) > > If user is defined only on the PDC as 'Henry', then 'id > Henry' reports all initial, and supplementary groups, but > 'id henry' only reports the one initial > group. Samba seems to be doing the same thing as id and > using 'henry' and doesn't see any supplementary groups > resulting in total mayhem. The 'id' command (unless you are logged in as the user) is not a valid test case IMO since it uses getgrent() to walk the group IRRC. I cannot reproduce this. > > Doesn't this basically break all domain member servers assuming many MS PDC's > are configured with mixed case usernames? >
[global] workgroup = ELDIN-WORK server string = security = ads hosts allow = 192.168. 127. load printers = no log file = /usr/local/samba/var/log.%m max log size = 500 password server = ELDIN-MAIL....... realm = ELDIN.ORG socket options = IPTOS_LOWDELAY TCP_NODELAY interfaces = vlan3 bind interfaces only = Yes local master = no os level = 0 domain master = no preferred master = no domain logons = no wins support = no wins proxy = no dns proxy = no display charset = windows-1251 unix charset = koi8-r dos charset = cp866 encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 auth methods = winbind winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind separator = + name resolve order = hosts wins bcast lmhosts template homedir = /home/%D/%U template shell = /sbin/nologin case sensitive = no netbios name = ELDIN-DOCS client use spnego = no client schannel = no server signing = auto client signing = no client signing = auto nt acl support = yes acl compatibility = win2k announce as = NT [kmview] browseable = no guest ok = yes ; writable = no writable = yes path = /usr/local/eldin-docs/disk2/kmview ; write list = @"ELDIN-WORK+Администраторы домена", "ELDIN-WORK+morozov", "ELDIN-WORK+ogk-server" create mask = 0644 directory mask = 0755 force user = ftp force group = ftp Here is my config. Samba 3.0.24 FreeBSD 6.2 If I uncomment "write list" & "witable = no" then users in "write list" can't write to this share. On 3.0.22 all work fine.
this might be seen as a FreeBSD bug in its setgroups() implementation: http://lists.freebsd.org/pipermail/freebsd-bugs/2004-July/007959.html http://lists.freebsd.org/pipermail/freebsd-bugs/2005-March/011831.html it would be nice to get some comments from FreeBSD developers on this. For a workaround in Samba see http://marc.info/?l=samba-technical&m=117976475614078&w=2
The patch referenced below at: http://marc.info/?l=samba-technical&m=117976475614078&w=2 Fixes this problem for me. To confirm with 3.0.25 (no patch), Samba does not respect the group permissions, but with this patch everything works correctly. Cam (In reply to comment #23) > this might be seen as a FreeBSD bug in its setgroups() implementation: > > http://lists.freebsd.org/pipermail/freebsd-bugs/2004-July/007959.html > http://lists.freebsd.org/pipermail/freebsd-bugs/2005-March/011831.html > > it would be nice to get some comments from FreeBSD developers on this. > > For a workaround in Samba see > http://marc.info/?l=samba-technical&m=117976475614078&w=2 >
James, If possible I'd like to wrap this one up before 3.0.25b (not set release date yet).
Created attachment 2731 [details] Cleaned up version of the patch from ML This is the patch how it appears in the FreeBSD net/samba3 port. Please check it on your systems and give feedback. Timur
(In reply to comment #25) > James, If possible I'd like to wrap this one up before > 3.0.25b (not set release date yet). Jerry, I include this patch(see attachement) to the FreeBSD port for 3.0.25a. Just to keep you informed.
(In reply to comment #23) > this might be seen as a FreeBSD bug in its setgroups() implementation: > > For a workaround in Samba see > http://marc.info/?l=samba-technical&m=117976475614078&w=2 Bjorn, thanks a lot for the work you've done! I'm including your patch into the net/samba3 port, hopefuly it'll end up in the official branch too. I'll try to pass the message to developers to get their feedback as well. With best regards, Timur
Fixed in 3.0.26
*** Bug 2441 has been marked as a duplicate of this bug. ***