Bug 3990 - Incorrect handling of group permissions/FreeBSD/setgroups problem
Incorrect handling of group permissions/FreeBSD/setgroups problem
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.23a
x86 FreeBSD
: P2 major
: 3.0.26
Assigned To: James Peach
Samba QA Contact
:
: 2441 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-02 10:21 UTC by Peter Trifonov
Modified: 2009-01-25 13:49 UTC (History)
8 users (show)

See Also:


Attachments
Cleaned up version of the patch from ML (1.25 KB, patch)
2007-06-02 21:12 UTC, Timur Bakeyev
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Trifonov 2006-08-02 10:21:54 UTC
There is FreeBSD-6.1 box with gcc 3.4.4 compiler (the default).
The box is a member of an ADS domain. Everything was working perfectly with samba-3.0.22.
After upgrading it to samba-3.0.23_1  (and 3.0.23a) from FreeBSD ports collection, the following problem appeared.

The system does not seem to recognize that a user is a member of some domain group, and does not grant him appropriate permissions.  For example, there is a directory test

#ls -al /tmp
drwxrwx---   2 bill    DOMAINNAME/algocod     512 Jul 24 14:16 test
#ls -anl /tmp
drwxrwx---   2 20004  20014     512 Jul 24 14:16 test

There is a user jim who is a member of DOMAINNAME/algocode

#wbinfo -n jim
S-1-5-21-2532163386-3195846559-1994112731-1107
# wbinfo --user-domgroups S-1-5-21-2532163386-3195846559-1994112731-1107
S-1-5-21-2532163386-3195846559-1994112731-1107
S-1-5-21-2532163386-3195846559-1994112731-1144
S-1-5-21-2532163386-3195846559-1994112731-513

# wbinfo -s S-1-5-21-2532163386-3195846559-1994112731-1144
DOMAINNAME/AlgoCode 2

# wbinfo -r jim
20014
20001
20023


User jim should be able to read from test, and this was the case with samba-3.0.22

But now (with samba-3.0.23_1) it does not work:

jim$ ls /tmp/test/
ls: : Permission denied

However, jim is able to read from a directory which is owned by him. 

log.winbindd contains a lot of messages like
[2006/07/24 15:12:19, 0] nsswitch/winbindd.c:request_len_recv(517)
  request_len_recv: Invalid request size received: 1836

sizeof(winbindd_request) appears to be equal to 1840.

On the other hand, pam_winbind seems to work perfectly.

The version of nss library seems to be the same as the one of winbindd.

# ls -al /usr/local/lib/nss*
-r-xr-xr-x  1 root  wheel   16664 Jul 24 13:39 /usr/local/lib/nss_winbind.so.1
-r-xr-xr-x  1 root  wheel  748308 Jul 24 13:39 /usr/local/lib/nss_wins.so.1 # ls -al /usr/local/sbin/winb* -rwxr-xr-x  1 root  wheel  2129111 Jul 24 13:39 /usr/local/sbin/winbindd

My nsswitch.conf file looks as follows:

group: files winbind #compat
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind #compat
passwd_compat: nis
shells: files
Comment 1 Gerald (Jerry) Carter 2006-08-08 10:37:43 UTC
Peter,  There were several token hanlding bugs fixed in 
3.0.23b.  Could you give that release a try please.
If things still break, please post the output from `id`
while logged on as user "jim".  Thanks.
Comment 2 Peter Trifonov 2006-08-08 12:35:13 UTC
It still does not work with 3.0.23b. It looks like that domain 
group membership is not detected.

jim$ id
uid=20001(jim) gid=20001(Domain Users) groups=20001(Domain Users)

#wbinfo -r jim
20014
20001
20023

Accidently, uid and gid are the same for this user. But the problem is experienced by all domain users. 

Comment 3 Bastian Schmitz 2006-08-15 11:24:38 UTC
i experienced a similar behavior on samba-3.0.23a-1 on debian sarge from
http://de.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
as a member of a win2k3 pdc domain. (user LUEBKE was created in capital letters on the pdc)

# wbinfo -r LUEBKE
10513
13546
# wbinfo -r luebke
10513
13546
# id luebke
uid=11982(luebke) gid=10513(domainusers) groups=10513(domainusers)
# id LUEBKE
uid=11982(luebke) gid=10513(domainusers) groups=10513(domainusers),13546(mailusers)
Comment 4 Igor Govorukhin 2006-09-20 00:17:37 UTC
I experience the same problem as Peter described. 

OS: FreeBSD 5.2 with Samba 3.0.23c

Winbind's logfile contains a lot of the following messages:

[2006/09/20 09:15:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(829)
  could not lookup domain group CERTSVC_DCOM_ACCESS
[2006/09/20 09:15:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(106)
  could not lookup membership for group rid S-1-5-21-1220945662-436374069-1202660629-5193 in domain DOMAIN (error: NT_STATUS_NO_SUCH_GROUP)
[2006/09/20 09:15:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(829)
  could not lookup domain group TelnetClients
Comment 5 franz strebel 2006-09-26 04:01:30 UTC
Hello,

I'm also getting the same problem with 3.0.23b and 3.0.23c.
OS is GNU/Linux with kernel 2.4.32.  Setup of domains is as
follows:

NT4 domain trusts an AD domain
Samba servers are members of the NT4 domain

Aside from the inconsistencies between wbinfo and id, there
are also discrepancies between wbinfo and the AD domain.  When
a user is added to a new group in the AD, wbinfo lists that
user in a different group.  Even after sending SIGHUP to winbindd,
it stays incorrect.  After some time though, it eventually
corrects itself.  But before it does, there's an amount of time
where the user will be in the correct group, but still be a member
of the incorrect one.

Thanks,
Franz
Comment 6 Todd Barbera 2006-10-06 07:21:23 UTC
Hi,

I seem to be hitting this as well. I'm running 3.0.23c on a Sparc Solaris 8 platform. I have winbindd running (no PAM) and I am acting as a member server of our domain. Both wbinfo -u and -g produce a list of Windows users and groups. getent passwd has the full combined list of Unix and Windows accounts, however, getent group shows the Unix groups and ONLY the Domain Admins Windows group. Here is the relevant section of my smb.conf file:

[global]
        log file = /usr/local/samba/var/log.%m
        netbios name = groucho1
        guest account = iusersbli
        server string = Test Production Server
        workgroup = SBLI
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        winbind enum users = yes
        winbind enum groups = yes
        debug level = 3
        os level = 1
        username map = /usr/local/samba/lib/user.map
        security = DOMAIN
        disable spoolss = yes
        show add printer wizard = no

Todd
Comment 7 franz strebel 2006-10-09 07:51:26 UTC
Just a follow up on this bug.  The case of the domain name affects the results of id.

When I use all small letters, it is incomplete.  However, when I use the name as used in the windows domain, ie all caps, id gives the correct and complete results.
Comment 8 Peter Trifonov 2006-10-09 07:57:21 UTC
Franz, 

this is not the case on my system.
For me both 
id DOMAIN/jim 
and 
id domain/jim

report jim to be a member of "Domain Users" group only. 

However, I am using "winbind use default domain = Yes"
Comment 9 björn 2006-10-12 04:11:29 UTC
Hi,

I think ive got another instance of this bug:
I'm running 3.0.23c on a Sun Solaris 10 platform (kernel 5.10).
I have winbindd running (no PAM) and I am acting as a member server
of our win2k3 domain. Both wbinfo -u and -g produce a list of the Windows users and groups. getent passwd has the full combined list of Unix and Windows accounts,
however, getent group shows the Unix groups and the Windows Domain
groups. 

I mounted the share on my Windows-Xp machine. 
The user on the WinXP machine is in the Group "MyDomain\group_alpha".
all good.
I can access an create folders .....
Then I created on my Solaris-machine in my Samba-Share-folder "all" 2 Subfolders.
Folders:            Permissions      Owner        Acl
1. "folderA" with   rwxrwx---     root  root    group: group_beta:rwx
2. "folderB" with   rwxrwx---     root  root    group: group_gama:rwx
 
after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folderA" the group "group_beta" to the first folder.
The Same i did with the folder "folderB", i added the group "group_gama" (rwx).
 
Now at the windows machine, my user "winuser" mounted the Samba Share.
So, "winuser" is a member of the valid share-user-group "group_alpha", all AD-users are members of this group. On the two other folders in the share i added permissions for two other groups.So,the "winuser" should have rights to read,write,execute to the "folderA", because "winuser" is a also a member of "group_beta" but he dont have permissions for "folderB".
 
My Problem is now that i can not enter "folderA" and "folderB"!
(windows-prompt : i dont have permissions for this..)
 
The same scenario with adding acl-"users" directly without acl-"group" is working.
 
So i think that samba ignores my supplementary groups for acl!!!
I tested a lot and I found out that Samba 3.0.2.3c only give access to users for subfolders in shares which have acl-permissions for groups which are the primary group of the entering winuser. So, Samba ignores the secodary-groups!

Here is the relevant section of my smb.conf file:
[global]
display charset = UTF-8
workgroup = NTBV
realm = XXX.TEST.DE
interfaces = 172.16.203.144
security = ADS
client schannel = No
password server = pwserver.xxx.de
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 2
log file = /usr/local/samba/var/log.%m
ldap ssl = no
idmap uid = 5000-100000000
idmap gid = 5000-100000000
template homedir = /usr/local/samba/%D/%U
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes

[all]
comment = Testverzeichnis
path = /export/home/all
valid users = @domain+group_office
admin users = domain+admin
read only = No

By running the commands "#id winuser" and "#wbinfo -r winuser" I got the following output:

bash-3.00# id NTBV+winuser
uid=5000(NTBV+winuser) gid=5006(NTBV+DOMAINUSERS)
bash-3.00# /usr/local/samba/bin/wbinfo -r NTBV+winuser
5001
5002
5003
5004
5006
5007
5008

And here is my groupmapping (#net groumap list):
    #Administrators (S-1-5-32-544) -> DOMAIN+alle
    #root (S-1-5-21-3454502962-1315390950-1018511800-1001) -> root
    #Users (S-1-5-32-545) -> BUILTIN+users

I hope this will be bux fixed. :)


Comment 10 Igor Morgado 2006-10-19 09:34:41 UTC
Im using samba 3.0.23c from debian backports and I finding some problems, this host has worked flawlessly since a a few months ago. But now stopped to work properly.

My versions are:
ii  winbind                3.0.23c-1~bpo.1        service to resolve user and group information from Windows N
ii  samba                  3.0.23c-1~bpo.1        a LanManager-like file and printer server for Unix
ii  samba-common           3.0.23c-1~bpo.1         Samba common files used by both the server and the client


My confs are the following

/etc/nsswitch.conf


# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind [NOTFOUND=return] db
group:          compat winbind [NOTFOUND=return] db
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

[global]
        workgroup = IBEU
        realm = IBEU.ORG.BR
        server string = Servidor de arquivos central
        security = ADS
        password server = ibeu_nt2 ibeu_nt 10.1.1.238 10.1.1.231
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
        username map = /etc/samba/users.map
        username level = 8
        log level = 4
        #vfs:2
        syslog = 0
        syslog only = 0
        log file = /var/log/samba/log.%m.%U
        max log size = 0
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = cups
        add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
        logon script = scripts\startup.bat
        logon path = \\%L\profiles\%u\%m
        logon drive = F:
        logon home = \\%L\%u\.win_profile\%m
        os level = 6
        preferred master = No
        local master = No
        domain master = No
        wins server = 10.1.1.238
        remote announce = 10.1.1.255/IBEU
        remote browse sync = 10.1.1.255
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        template homedir = /dados/home/%U
        template shell = /dev/null
        winbind separator = /
        winbind use default domain = Yes
#       recycle:maxsize = 10240000
#       recycle:touch = no
#       recycle:keeptree = yes
#       recycle:repository = /dados/lixeira
        invalid users = root
        printer admin = @admins
        acl group control = Yes
        inherit permissions = Yes
        inherit acls = Yes
        printing = cups
        print command =
        lpq command = %p
        lprm command =
#       vfs objects = recycle
#extd_audit
[homes]
        comment = Home Directories
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No

[profiles]
        path = /dados/profiles
        read only = No
        create mask = 0600
        directory mask = 070

[IPC$]
        path = /tmp
        read only = No
        guest ok = Yes

[printers]
        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers
        write list = root, @admins


behind this only user shares (I have commented out somethings because im trying to find out where is the problem)

Samba and winbind is running (ps aux show them)

Users can connect on shares etc..

Here is some command output
zaphod:/etc/samba# wbinfo -p
Ping to winbindd succeeded on fd 4
zaphod:/etc/samba# wbinfo -u
full user list  . . . .
zaphod:/etc/samba# wbinfo -g
full group list...

BUT!

zaphod:/etc/samba# getent passwd
just show /etc/passwd users

zaphod:/etc/samba# getent group
just show /etc/group users

Weirdest thing!!

zaphod:/etc/samba# getent passwd igormorgado
igormorgado:*:10000:10000:Igor Morgado:/dados/home/igormorgado:/dev/null

zaphod:/etc/samba# getent group admins
admins:x:10003:servicos,vhogemann,igormorgado,lidia,diogo,nelson,admin,ramos,eliane,JEANNE,Administrador

Retrieve winbind data!!

Even more weirdest!

zaphod:/etc/samba# id igormorgado
uid=10000(igormorgado) gid=10000(Domain Users) grupos=10000(Domain Users)

it list only the my primary group not all groups but as you could notice i'm on admins group too.


More data:
zaphod:/etc/samba# nss_updatedb winbind
Failed to enumerate nameservice: Success
passwd... nameservice unavailable.

I have tried to remove winbind cache file (as ||cw told me on irc channel)  but didn't helped.

There is no pam configuration about winbind this is because I didn't need unix authenticating on winbind or anything like. (just users on samba)

I have other host with same configuration but using this versions:
ii  winbind                3.0.14a-3sarge1        service to resolve user and group information from Windows N
ii  samba                  3.0.14a-3sarge1        a LanManager-like file and printer server for Unix
ii  samba-common           3.0.14a-3sarge1        Samba common files used by both the server and the client


But i need some options in samba 3.0.22 (as acl group control and inherit). 

I have the same config running on 3.0.14 flawlessly
Comment 11 Igor Morgado 2006-10-19 10:16:16 UTC
I have downgraded to 3.0.22 and everything is normail .. (withou change any configuration)
Comment 12 Peter Trifonov 2006-10-27 02:10:21 UTC
The parameter "winbind enum groups" (WEG) seems to affect this problem.
1. wbinfo -r  shows  spurious GID (both with WEG=yes and WEG=no) which 
does not resolve to a SID
2. id shows all groups with WEG=yes and only "Domain Users" with WEG=no 
3. If WEG=yes, the user can access a directory of his group, but with WEG=no this is not possible. 

Comment 13 Herve 2006-11-09 08:43:35 UTC
(In reply to comment #10)
> Im using samba 3.0.23c from debian backports and I finding some problems, this
> host has worked flawlessly since a a few months ago. But now stopped to work
> properly.
> 
> My versions are:
> ii  winbind                3.0.23c-1~bpo.1        service to resolve user and
> group information from Windows N
> ii  samba                  3.0.23c-1~bpo.1        a LanManager-like file and
> printer server for Unix
> ii  samba-common           3.0.23c-1~bpo.1         Samba common files used by
> both the server and the client
> 
> 
> My confs are the following
> 
> /etc/nsswitch.conf
> 
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat winbind [NOTFOUND=return] db
> group:          compat winbind [NOTFOUND=return] db
> shadow:         compat
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> [global]
>         workgroup = IBEU
>         realm = IBEU.ORG.BR
>         server string = Servidor de arquivos central
>         security = ADS
>         password server = ibeu_nt2 ibeu_nt 10.1.1.238 10.1.1.231
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
>         username map = /etc/samba/users.map
>         username level = 8
>         log level = 4
>         #vfs:2
>         syslog = 0
>         syslog only = 0
>         log file = /var/log/samba/log.%m.%U
>         max log size = 0
>         socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>         printcap name = cups
>         add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false
> -M %u
>         logon script = scripts\startup.bat
>         logon path = \\%L\profiles\%u\%m
>         logon drive = F:
>         logon home = \\%L\%u\.win_profile\%m
>         os level = 6
>         preferred master = No
>         local master = No
>         domain master = No
>         wins server = 10.1.1.238
>         remote announce = 10.1.1.255/IBEU
>         remote browse sync = 10.1.1.255
>         panic action = /usr/share/samba/panic-action %d
>         idmap uid = 10000-20000
>         template homedir = /dados/home/%U
>         template shell = /dev/null
>         winbind separator = /
>         winbind use default domain = Yes
> #       recycle:maxsize = 10240000
> #       recycle:touch = no
> #       recycle:keeptree = yes
> #       recycle:repository = /dados/lixeira
>         invalid users = root
>         printer admin = @admins
>         acl group control = Yes
>         inherit permissions = Yes
>         inherit acls = Yes
>         printing = cups
>         print command =
>         lpq command = %p
>         lprm command =
> #       vfs objects = recycle
> #extd_audit
> [homes]
>         comment = Home Directories
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
> 
> [profiles]
>         path = /dados/profiles
>         read only = No
>         create mask = 0600
>         directory mask = 070
> 
> [IPC$]
>         path = /tmp
>         read only = No
>         guest ok = Yes
> 
> [printers]
>         comment = All Printers
>         path = /tmp
>         create mask = 0700
>         printable = Yes
>         browseable = No
> 
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/printers
>         write list = root, @admins
> 
> 
> behind this only user shares (I have commented out somethings because im trying
> to find out where is the problem)
> 
> Samba and winbind is running (ps aux show them)
> 
> Users can connect on shares etc..
> 
> Here is some command output
> zaphod:/etc/samba# wbinfo -p
> Ping to winbindd succeeded on fd 4
> zaphod:/etc/samba# wbinfo -u
> full user list  . . . .
> zaphod:/etc/samba# wbinfo -g
> full group list...
> 
> BUT!
> 
> zaphod:/etc/samba# getent passwd
> just show /etc/passwd users
> 
> zaphod:/etc/samba# getent group
> just show /etc/group users
> 
> Weirdest thing!!
> 
> zaphod:/etc/samba# getent passwd igormorgado
> igormorgado:*:10000:10000:Igor Morgado:/dados/home/igormorgado:/dev/null
> 
> zaphod:/etc/samba# getent group admins
> admins:x:10003:servicos,vhogemann,igormorgado,lidia,diogo,nelson,admin,ramos,eliane,JEANNE,Administrador
> 
> Retrieve winbind data!!
> 
> Even more weirdest!
> 
> zaphod:/etc/samba# id igormorgado
> uid=10000(igormorgado) gid=10000(Domain Users) grupos=10000(Domain Users)
> 
> it list only the my primary group not all groups but as you could notice i'm on
> admins group too.
> 
> 
> More data:
> zaphod:/etc/samba# nss_updatedb winbind
> Failed to enumerate nameservice: Success
> passwd... nameservice unavailable.
> 
> I have tried to remove winbind cache file (as ||cw told me on irc channel)  but
> didn't helped.
> 
> There is no pam configuration about winbind this is because I didn't need unix
> authenticating on winbind or anything like. (just users on samba)
> 
> I have other host with same configuration but using this versions:
> ii  winbind                3.0.14a-3sarge1        service to resolve user and
> group information from Windows N
> ii  samba                  3.0.14a-3sarge1        a LanManager-like file and
> printer server for Unix
> ii  samba-common           3.0.14a-3sarge1        Samba common files used by
> both the server and the client
> 
> 
> But i need some options in samba 3.0.22 (as acl group control and inherit). 
> 
> I have the same config running on 3.0.14 flawlessly
> 

Exactly the same bug in fedora core 5 with
samba-common-3.0.23c-1.fc5
samba-3.0.23c-1.fc5

Impossible to make getent display passwd or group but if i take some group or user alone it's ok but not for all.

getent group solva
solva:*:10002:milergJ,ezarPA
getent passwd ouchi
ouchi:*:10000:10000:Bouchindhomme Herve:/home/ouchi:/bin/bash

BUT getent group or getent passwd give only local user and groupe

AND getent group DSO return nothing

I couldn't find common point between group who could'nt be retrieve by getent.
Comment 14 Andreas Hasenack 2006-11-09 09:03:43 UTC
(In reply to comment #13) 
> getent group solva
> solva:*:10002:milergJ,ezarPA
> getent passwd ouchi
> ouchi:*:10000:10000:Bouchindhomme Herve:/home/ouchi:/bin/bash
> 
> BUT getent group or getent passwd give only local user and groupe

This is expected and was documented in the release notes. By default, winbind will no longer enumerate groups and users. See smb.conf(5).
Comment 15 Bastian Schmitz 2006-11-09 10:53:13 UTC
some additional observations on the case and group depedency of the usernames.
system: 
* debian sarge using winbind (3.0.23c, .deb from samba.org) joint on AD win2k3 sp2 domain with "security = ADS" and "winbind nested groups = yes, winbind enum users = yes, winbind enum groups = yes"

groups "global_primary", "global1" and "global2" are all created as global groups on the Windows host.
group "global2" is a member of "global1" in AD.
groups "local1" and "local2" are both created as 'local groups' inside the AD on the Windows host.
group "local2" is a member of "local1".
user "bei" was created on the windows pdc (all lowercase) with primary group "global_primary"
user "bei" is member of two groups: "local2" and "global2" (and the primary group "global_primary")

the following is observed:
bei@sambatest:/$ id bEi
uid=13585(bei) gid=17643(global_primary) groups=17643(global_primary)
bei@sambatest:/$ id bei
uid=13585(bei) gid=17643(global_primary) groups=17643(global_primary),17637(global2),17640(lokal2)
bei@sambatest:/$ id
uid=13585(bei) gid=17643(global_primary) groups=17636(global1),17637(global2),17640(lokal2),17643(global_primary)
bei@sambatest:/$ wbinfo -r bei
17637
17643
17636
17640

you may notice, that nested groups are completely ignored for "local groups". ("local1" does not occur anywhere)
Comment 16 Gideon Prinsloo 2006-11-28 07:05:57 UTC
We also have this occurence after tbe implementation of 3.0.23d 

The problem is erratic and is causing false account lockouts as the error generates wrong password error.

***************

  init_sam_from_ldap: Entry found for user: jack
[2006/11/21 12:41:10, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 3207
[2006/11/21 12:41:10, 0] lib/smbldap.c:smbldap_open(1009)
  smbldap_open: cannot access LDAP when not root..
[2006/11/21 12:41:10, 0] lib/smbldap.c:smbldap_open(1009)
  smbldap_open: cannot access LDAP when not root..
[2006/11/21 12:41:10, 0] passdb/passdb.c:pdb_update_bad_password_count(1378)
  pdb_update_bad_password_count: pdb_get_account_policy failed.
[2006/11/21 12:41:10, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
  init_ldap_from_sam: Setting entry for user: jack
[2006/11/21 12:41:10, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [jack] -> [jack] FAILED with error NT_STATUS_WRONG_PASSWORD

***************
Comment 17 Dobos Sandor 2006-11-30 13:59:13 UTC
Hi!

I recently implemented code to get the flat list of an AD user's group memberships in a trusted multi forrest environment.
The process is really not performace-friendly...
Maybe it helps:

1. get the primary group from primaryGroupID property

2. get groups where the user is member directly from memberOf property

3. repeat step 2 on each object which was returned in memberOf; 
these are group objects which can be members of other groups...
this is what is missing from winbind I think!

4. check between ForeignSecurityPrincipals on each root DN for objectSids
of groups collected before, if anything found step 3 should be executed
on that AD; there can be nested memberships too...
this maybe missing to...


I dont know how win does this... 
the tokenGroups property or win32 call doesnt reports all these memberships too.

I think this is much more than what is the "nested groups" stands for.

The reason of its need is simple:
I would like to say "valid users = +MYDOMAIN\share_blabla_users" in smb.conf
and after that assign individual users OR OTHER GROUPS to share_blabla_users AD group via MS ADUC and see that a user who is not directly but through some other group is member of share_blabla_users can access that share!
(like on any win member servers functioning)
 
How can I help You to accomplish this?
Comment 18 Roger Prefontaine 2007-01-16 23:12:45 UTC
Has this been fixed in 3.0.23d?  Release notes don't seem to specify.

id (and samba) fail to report/see any *supplementary* groups for the user if the username's case doesn't *exactly* match the case as defined on the PDC., but wbinfo -u, -g, getent passwd, group correctly list all users and groups.

If user is defined only on the PDC as 'Henry', then 'id Henry' reports all initial, and supplementary groups, but 'id henry' only reports the one initial group.  Samba seems to be doing the same thing as id and using 'henry' and doesn't see any supplementary groups resulting in total mayhem.

Doesn't this basically break all domain member servers assuming many MS PDC's are configured with mixed case usernames?
Comment 19 Dobos Sandor 2007-02-26 07:38:51 UTC
Nothing happens.
Please tell how can we help You to solve this bug!
Comment 20 Gerald (Jerry) Carter 2007-02-26 07:46:54 UTC
Timur, I've added you to the CC list.  Can you confirm this 
bug on FreeBSD?  Thanks.
Comment 21 Gerald (Jerry) Carter 2007-02-26 07:49:22 UTC
(In reply to comment #18)
> 
> If user is defined only on the PDC as 'Henry', then 'id 
> Henry' reports all initial, and supplementary groups, but 
> 'id henry' only reports the one initial
> group.  Samba seems to be doing the same thing as id and 
> using 'henry' and doesn't see any supplementary groups 
> resulting in total mayhem.

The 'id' command (unless you are logged in as the user) is not 
a valid test case IMO since it uses getgrent() to walk the
group IRRC.  I cannot reproduce this.

> 
> Doesn't this basically break all domain member servers assuming many MS PDC's
> are configured with mixed case usernames?
> 

Comment 22 Sergey 2007-04-03 02:10:58 UTC
[global]
   workgroup = ELDIN-WORK
   server string =
   security = ads
   hosts allow = 192.168. 127.
   load printers = no
   log file = /usr/local/samba/var/log.%m
   max log size = 500
   password server = ELDIN-MAIL.......
   realm = ELDIN.ORG
   socket options = IPTOS_LOWDELAY TCP_NODELAY
   interfaces = vlan3
   bind interfaces only = Yes
   local master = no
   os level = 0
   domain master = no
   preferred master = no
   domain logons = no
   wins support = no
   wins proxy = no
   dns proxy = no
   display charset = windows-1251
   unix charset = koi8-r
   dos charset = cp866
   encrypt passwords = yes
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   auth methods = winbind
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes
   winbind separator = +
   name resolve order = hosts wins bcast lmhosts
   template homedir = /home/%D/%U
   template shell = /sbin/nologin
   case sensitive = no
   netbios name = ELDIN-DOCS
   client use spnego = no
   client schannel = no
   server signing = auto
   client signing = no
   client signing = auto
   nt acl support = yes
   acl compatibility = win2k
   announce as = NT

[kmview]
   browseable = no
   guest ok = yes
;   writable = no
   writable = yes
   path = /usr/local/eldin-docs/disk2/kmview
;   write list = @"ELDIN-WORK+Администраторы домена", "ELDIN-WORK+morozov", "ELDIN-WORK+ogk-server"
   create mask = 0644
   directory mask = 0755
   force user = ftp
   force group = ftp

Here is my config. Samba 3.0.24 FreeBSD 6.2
If I uncomment "write list" & "witable = no" then users in "write list" can't write to this share. On 3.0.22 all work fine.
Comment 23 Björn Jacke 2007-05-22 09:57:50 UTC
this might be seen as a FreeBSD bug in its setgroups() implementation:

http://lists.freebsd.org/pipermail/freebsd-bugs/2004-July/007959.html
http://lists.freebsd.org/pipermail/freebsd-bugs/2005-March/011831.html

it would be nice to get some comments from FreeBSD developers on this.

For a workaround in Samba see http://marc.info/?l=samba-technical&m=117976475614078&w=2
Comment 24 Cameron Murdoch 2007-05-30 10:36:23 UTC
The patch referenced below at:

http://marc.info/?l=samba-technical&m=117976475614078&w=2

Fixes this problem for me. To confirm with 3.0.25 (no patch), Samba does not respect the group permissions, but with this patch everything works correctly.

Cam

(In reply to comment #23)
> this might be seen as a FreeBSD bug in its setgroups() implementation:
> 
> http://lists.freebsd.org/pipermail/freebsd-bugs/2004-July/007959.html
> http://lists.freebsd.org/pipermail/freebsd-bugs/2005-March/011831.html
> 
> it would be nice to get some comments from FreeBSD developers on this.
> 
> For a workaround in Samba see
> http://marc.info/?l=samba-technical&m=117976475614078&w=2
> 

Comment 25 Gerald (Jerry) Carter 2007-05-30 12:15:23 UTC
James,  If possible I'd like to wrap this one up before 
3.0.25b (not set release date yet).
Comment 26 Timur Bakeyev 2007-06-02 21:12:34 UTC
Created attachment 2731 [details]
Cleaned up version of the patch from ML

This is the patch how it appears in the FreeBSD net/samba3 port. Please check it on your systems and give feedback.

Timur
Comment 27 Timur Bakeyev 2007-06-02 21:14:19 UTC
(In reply to comment #25)
> James,  If possible I'd like to wrap this one up before 
> 3.0.25b (not set release date yet).

Jerry, I include this patch(see attachement) to the FreeBSD port for 3.0.25a. Just to keep you informed.

Comment 28 Timur Bakeyev 2007-06-02 21:17:09 UTC
(In reply to comment #23)
> this might be seen as a FreeBSD bug in its setgroups() implementation:
> 
> For a workaround in Samba see
> http://marc.info/?l=samba-technical&m=117976475614078&w=2

Bjorn, thanks a lot for the work you've done! I'm including your patch into the net/samba3 port, hopefuly it'll end up in the official branch too.

I'll try to pass the message to developers to get their feedback as well.

With best regards,
Timur
Comment 29 James Peach 2007-06-13 11:03:32 UTC
Fixed in 3.0.26
Comment 30 Volker Lendecke 2009-01-25 13:49:12 UTC
*** Bug 2441 has been marked as a duplicate of this bug. ***