406 – no supplementary groups if winbind use default domain = True (ADS)

Bug 406 - no supplementary groups if winbind use default domain = True (ADS)

Summary: no supplementary groups if winbind use default domain = True (ADS)

Status:	CLOSED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.0preX
Hardware:	All Linux

Importance:	P1 major
Target Milestone:	3.0.1
Assignee:	Gerald (Jerry) Carter (dead mail address)
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-05 03:35 UTC by Gleb Stiblo
Modified:	2005-11-14 09:31 UTC (History)
CC List:	0 users

See Also:

Attachments
samba logs. level 10 (64.28 KB, application/x-gzip) 2003-09-05 03:37 UTC, Gleb Stiblo	no flags	Details
Test case on a production server running 3.0rc4. (6.43 KB, text/plain) 2003-09-28 17:48 UTC, Lukasz Grochal	no flags	Details
patch for 'winbind use default domain' & secondary groups (1.56 KB, patch) 2003-10-07 09:21 UTC, Gerald (Jerry) Carter (dead mail address)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gleb Stiblo 2003-09-05 03:35:12 UTC

Supplementary groups are not used if `security = domain or ads` and `winbind
use default domain = True`. So permissions setted on supplementary groups don't
work. If `winbind use default domain = False` then permissions work.
    My configurations: server - nasos.belcaf.minsk.by, client -
pc346.belcaf.minsk.by.

Server side:

bash-2.05b# hostname 
nasos.belcaf.minsk.by

bash-2.05b# id u1
uid=508(u1) gid=501(Domain Users) groups=501(Domain Users),510(g1)

bash-2.05b# chacl -l /drives/Volume1/s1/
/drives/Volume1/s1/ [u::---,g::---,g:g1:rwx,m::rwx,o::---]

bash-2.05b# su - u1 -s /bin/bash

-bash-2.05b$ cd /drives/Volume1/s1

-bash-2.05b$ id
uid=508(u1) gid=501(Domain Users) groups=501(Domain Users),510(g1)

-bash-2.05b$ pwd
/drives/Volume1/s1

-bash-2.05b$ touch u1_file

-bash-2.05b$ ls -la 
total 4
d---rwx---    2 root     root           20 Sep  4 17:13 .
drwxr-xr-x    3 root     root           47 Sep  4 16:56 ..
-rw-r--r--    1 u1       Domain Users        0 Sep  4 17:13 u1_file

So user u1 can create/read files /drives/Volume1/s1 locally.
Additional:

bash-2.05b# cat /etc/samba/smb.conf
#======================= Global Settings =====================================
[global]

; socket options is here before any changes are made to the code
; page so the options will be interpreted correctly

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

; ccp and cs must be at the top here so workgroup can be in whatever
; language
        dos charset = CP932
        unix charset = UTF-8
        display charset = UTF-8

        veto oplock files = /*.sem/
        map hidden = yes
        map archive = yes
        create mask = 0777
        nt acl support = yes
        inherit acls = yes
        inherit permissions = yes
        map to guest = never
        guest account = guest
        add user script = /usr/bin/serviceware-wrapper addUser

        workgroup = MIXED

        server string = NASS (tm)


        load printers = no
        log file = /var/log/samba/log.smb

        max log size = 500000
; added 08/14/01 to fix username case problems.  15 is max len of username.
        username level = 15

        security = domain

        encrypt passwords = yes
        smb passwd file = /etc/samba/smbpasswd

        unix password sync = Yes
        passwd program = /usr/sbin/parse '1210,%u,%n'


;   interfaces = 192.168.12.2/24 192.168.13.2/24 

;   remote browse sync = 192.168.3.25 192.168.5.255
;   remote announce = 192.168.1.255 192.168.2.44

        local master = no

        os level = 32

;  name resolve order = wins bcast

;   wins support = yes
;   wins server = x.x.x.x

;   wins proxy = yes

        dns proxy = no

        preserve case = yes
        short preserve case = yes
        default case = lower
        change notify timeout = 30

        add share command = /usr/bin/serviceware-wrapper addShare
        change share command = /usr/bin/serviceware-wrapper changeShare
        delete share command = /usr/bin/serviceware-wrapper deleteShare

;   winbind uid = 500-25000
;   winbind gid = 500-25000
        winbind separator = +
        winbind use default domain = True
;   template homedir = /home/%D/%U
;   template shell = /bin/false
      
#============================ Share Definitions ==============================


        vfs object = netatalk
        disable spoolss = yes
        log level = 10
        idmap uid = 500-25000
        idmap gid = 500-25000
        admin users = @"Domain Admins"
        wins support = no
        password server = 192.168.117.5
        wins server = 192.168.117.5
[c$]
        path = /drives/Volume1
        writeable = yes
        valid users = MIXED"Domain Admins"
[s1]
        path = /drives/Volume1/s1
        public = no
        writeable = yes
        directory mask = 0771
        hide dot files = true
        delete veto files = true
        veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash
Folder/TheVolumeSettingsFolder/Temporary Items/TheFindByContentFolder/.DS_Store/
        hide files = /.*/DesktopFolderDb/TrashFor%m/resource.frk/
        valid users = "MIXED+g1" 
        read list = "MIXED+g1" 
        write list = "MIXED+g1" 


bash-2.05b# getent passwd
root:x:0:0:System Administrator:/root:/bin/bash
...
Administrator:x:500:501::/home/MIXED/administrator:/bin/false
Guest:x:501:501::/home/MIXED/guest:/bin/false
krbtgt:x:502:501::/home/MIXED/krbtgt:/bin/false
TsInternetUser:x:503:501::/home/MIXED/tsinternetuser:/bin/false
IUSR_W2K-MIX:x:504:501::/home/MIXED/iusr_w2k-mix:/bin/false
IWAM_W2K-MIX:x:505:501::/home/MIXED/iwam_w2k-mix:/bin/false
root:x:506:501::/home/MIXED/root:/bin/false
win2kmixed:x:507:501::/home/MIXED/win2kmixed:/bin/false
u1:x:508:501::/home/MIXED/u1:/bin/false
u2:x:509:501::/home/MIXED/u2:/bin/false
u3:x:510:501::/home/MIXED/u3:/bin/false

bash-2.05b# getent group
root:x:0:root
...
Domain Admins:x:502:Administrator,root
Domain
Users:x:501:Administrator,Guest,TsInternetUser,IUSR_W2K-MIX,IWAM_W2K-MIX,krbtgt,root,win2kmixed,u1,u2,u3
Domain Guests:x:503:Guest
Domain Computers:x:504:
Domain Controllers:x:505:
Cert Publishers:x:506:
Schema Admins:x:500:Administrator,root
Enterprise Admins:x:507:Administrator
Group Policy Creator Owners:x:508:Administrator
DnsUpdateProxy:x:509:
g1:x:510:u1,u2
g2:x:511:u2,u3


Now try to read files via samba, client side:

[13:24:05 stiblo@pc346 stiblo]$hostname
pc346.belcaf.minsk.by

[13:42:56 stiblo@pc346 stiblo]$smbclient //nasos/s1 -W MIXED -U u1%u1
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 0 blocks available
smb: \> [13:49:39 stiblo@pc346 stiblo]$


If set `winbind use default domain` to false then user can get shared files.

Comment 1 Gleb Stiblo 2003-09-05 03:37:48 UTC

Created attachment 123 [details]
samba logs. level 10

Comment 2 Lukasz Grochal 2003-09-28 17:48:50 UTC

Created attachment 168 [details]
Test case on a production server running 3.0rc4.

This is a copy of the mail I've sent to the maintainer of debian port of Samba
a week ago.

Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-10-07 09:21:00 UTC

Created attachment 187 [details]
patch for 'winbind use default domain' & secondary groups

Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-10-07 09:22:38 UTC

This patch fixes things for my tests.  I'll check it into 
the SAMBA_3_0/HEAD branches later today.  You can wait 
until then and grab the cvs tree or apply the patch 
locally.  It should apply cleanly to the 3.0.0 codebase.

Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:06:21 UTC

originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.

Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:28:13 UTC

sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.

Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:31:26 UTC

database cleanup