Bug 406 - no supplementary groups if winbind use default domain = True (ADS)
no supplementary groups if winbind use default domain = True (ADS)
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
All Linux
: P1 major
: 3.0.1
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-05 03:35 UTC by Gleb Stiblo
Modified: 2005-11-14 09:31 UTC (History)
0 users

See Also:


Attachments
samba logs. level 10 (64.28 KB, application/x-gzip)
2003-09-05 03:37 UTC, Gleb Stiblo
no flags Details
Test case on a production server running 3.0rc4. (6.43 KB, text/plain)
2003-09-28 17:48 UTC, Lukasz Grochal
no flags Details
patch for 'winbind use default domain' & secondary groups (1.56 KB, patch)
2003-10-07 09:21 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gleb Stiblo 2003-09-05 03:35:12 UTC
Supplementary groups are not used if `security = domain or ads` and `winbind
use default domain = True`. So permissions setted on supplementary groups don't
work. If `winbind use default domain = False` then permissions work.
    My configurations: server - nasos.belcaf.minsk.by, client -
pc346.belcaf.minsk.by.

Server side:

bash-2.05b# hostname 
nasos.belcaf.minsk.by

bash-2.05b# id u1
uid=508(u1) gid=501(Domain Users) groups=501(Domain Users),510(g1)

bash-2.05b# chacl -l /drives/Volume1/s1/
/drives/Volume1/s1/ [u::---,g::---,g:g1:rwx,m::rwx,o::---]

bash-2.05b# su - u1 -s /bin/bash

-bash-2.05b$ cd /drives/Volume1/s1

-bash-2.05b$ id
uid=508(u1) gid=501(Domain Users) groups=501(Domain Users),510(g1)

-bash-2.05b$ pwd
/drives/Volume1/s1

-bash-2.05b$ touch u1_file

-bash-2.05b$ ls -la 
total 4
d---rwx---    2 root     root           20 Sep  4 17:13 .
drwxr-xr-x    3 root     root           47 Sep  4 16:56 ..
-rw-r--r--    1 u1       Domain Users        0 Sep  4 17:13 u1_file

So user u1 can create/read files /drives/Volume1/s1 locally.
Additional:

bash-2.05b# cat /etc/samba/smb.conf
#======================= Global Settings =====================================
[global]

; socket options is here before any changes are made to the code
; page so the options will be interpreted correctly

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

; ccp and cs must be at the top here so workgroup can be in whatever
; language
        dos charset = CP932
        unix charset = UTF-8
        display charset = UTF-8

        veto oplock files = /*.sem/
        map hidden = yes
        map archive = yes
        create mask = 0777
        nt acl support = yes
        inherit acls = yes
        inherit permissions = yes
        map to guest = never
        guest account = guest
        add user script = /usr/bin/serviceware-wrapper addUser

        workgroup = MIXED

        server string = NASS (tm)


        load printers = no
        log file = /var/log/samba/log.smb

        max log size = 500000
; added 08/14/01 to fix username case problems.  15 is max len of username.
        username level = 15

        security = domain

        encrypt passwords = yes
        smb passwd file = /etc/samba/smbpasswd

        unix password sync = Yes
        passwd program = /usr/sbin/parse '1210,%u,%n'


;   interfaces = 192.168.12.2/24 192.168.13.2/24 

;   remote browse sync = 192.168.3.25 192.168.5.255
;   remote announce = 192.168.1.255 192.168.2.44

        local master = no

        os level = 32

;  name resolve order = wins bcast

;   wins support = yes
;   wins server = x.x.x.x

;   wins proxy = yes

        dns proxy = no

        preserve case = yes
        short preserve case = yes
        default case = lower
        change notify timeout = 30

        add share command = /usr/bin/serviceware-wrapper addShare
        change share command = /usr/bin/serviceware-wrapper changeShare
        delete share command = /usr/bin/serviceware-wrapper deleteShare

;   winbind uid = 500-25000
;   winbind gid = 500-25000
        winbind separator = +
        winbind use default domain = True
;   template homedir = /home/%D/%U
;   template shell = /bin/false
      
#============================ Share Definitions ==============================


        vfs object = netatalk
        disable spoolss = yes
        log level = 10
        idmap uid = 500-25000
        idmap gid = 500-25000
        admin users = @"Domain Admins"
        wins support = no
        password server = 192.168.117.5
        wins server = 192.168.117.5
[c$]
        path = /drives/Volume1
        writeable = yes
        valid users = MIXED"Domain Admins"
[s1]
        path = /drives/Volume1/s1
        public = no
        writeable = yes
        directory mask = 0771
        hide dot files = true
        delete veto files = true
        veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash
Folder/TheVolumeSettingsFolder/Temporary Items/TheFindByContentFolder/.DS_Store/
        hide files = /.*/DesktopFolderDb/TrashFor%m/resource.frk/
        valid users = "MIXED+g1" 
        read list = "MIXED+g1" 
        write list = "MIXED+g1" 


bash-2.05b# getent passwd
root:x:0:0:System Administrator:/root:/bin/bash
...
Administrator:x:500:501::/home/MIXED/administrator:/bin/false
Guest:x:501:501::/home/MIXED/guest:/bin/false
krbtgt:x:502:501::/home/MIXED/krbtgt:/bin/false
TsInternetUser:x:503:501::/home/MIXED/tsinternetuser:/bin/false
IUSR_W2K-MIX:x:504:501::/home/MIXED/iusr_w2k-mix:/bin/false
IWAM_W2K-MIX:x:505:501::/home/MIXED/iwam_w2k-mix:/bin/false
root:x:506:501::/home/MIXED/root:/bin/false
win2kmixed:x:507:501::/home/MIXED/win2kmixed:/bin/false
u1:x:508:501::/home/MIXED/u1:/bin/false
u2:x:509:501::/home/MIXED/u2:/bin/false
u3:x:510:501::/home/MIXED/u3:/bin/false

bash-2.05b# getent group
root:x:0:root
...
Domain Admins:x:502:Administrator,root
Domain
Users:x:501:Administrator,Guest,TsInternetUser,IUSR_W2K-MIX,IWAM_W2K-MIX,krbtgt,root,win2kmixed,u1,u2,u3
Domain Guests:x:503:Guest
Domain Computers:x:504:
Domain Controllers:x:505:
Cert Publishers:x:506:
Schema Admins:x:500:Administrator,root
Enterprise Admins:x:507:Administrator
Group Policy Creator Owners:x:508:Administrator
DnsUpdateProxy:x:509:
g1:x:510:u1,u2
g2:x:511:u2,u3


Now try to read files via samba, client side:

[13:24:05 stiblo@pc346 stiblo]$hostname
pc346.belcaf.minsk.by

[13:42:56 stiblo@pc346 stiblo]$smbclient //nasos/s1 -W MIXED -U u1%u1
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 0 blocks available
smb: \> [13:49:39 stiblo@pc346 stiblo]$


If set `winbind use default domain` to false then user can get shared files.
Comment 1 Gleb Stiblo 2003-09-05 03:37:48 UTC
Created attachment 123 [details]
samba logs. level 10
Comment 2 Lukasz Grochal 2003-09-28 17:48:50 UTC
Created attachment 168 [details]
Test case on a production server running 3.0rc4.

This is a copy of the mail I've sent to the maintainer of debian port of Samba
a week ago.
Comment 3 Gerald (Jerry) Carter 2003-10-07 09:21:00 UTC
Created attachment 187 [details]
patch for 'winbind use default domain' & secondary groups
Comment 4 Gerald (Jerry) Carter 2003-10-07 09:22:38 UTC
This patch fixes things for my tests.  I'll check it into 
the SAMBA_3_0/HEAD branches later today.  You can wait 
until then and grab the cvs tree or apply the patch 
locally.  It should apply cleanly to the 3.0.0 codebase.
Comment 5 Gerald (Jerry) Carter 2005-02-07 09:06:21 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 6 Gerald (Jerry) Carter 2005-08-24 10:28:13 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 7 Gerald (Jerry) Carter 2005-11-14 09:31:26 UTC
database cleanup