After upgrading from CENTOS4 to CENTOS5 (3.0.11 to 3.0.25b) Samba can no longer associate the user with its secondary groups. I can connect to shares only that are match the user's Primary GID. This is the error on the /var/log/samba/<machine> log user 'userid' (from session setup) not permitted to access this share (share_name) [2008/02/13 20:00:49, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED Funny thing about it is that ldap retrieves the GID membership correctly [2008/02/13 20:00:49, 5] lib/smbldap.c:smbldap_search_ext(1182) smbldap_search_ext: base => [ou=Groups,dc=mydomain,dc=com], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=shop)(cn=group_name)))], scope => [2] [2008/02/13 20:00:49, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 10001 Note that 10001 is the GID of the group that is set on the share itself: [share_name] comment = shop share path = /u01/share/shoptest valid users = "@domain admins" "@group_name" browseable = yes public = no writable = yes printable = no create mask = 0775 create mode = 0775 directory mask= 0775 The directory is also correctly chowned and chmoded drwxrwxr-x 2 shop1 group_name 4096 Feb 11 05:12 shoptest I am trying to access it by using mydomain.com\userid and the User's particulars are: From getent group group_name:*:10001:user_id,other1,other2, ... id userid uid=10000(userid) gid=513(Domain Users) groups=513(Domain Users) id -G 513 as you can see id -G shows only primary group. This was working fine before doing an upgrade, but a serious continuous LDAP crash issue forced me to do an update To CENTOS5 . The related packages are : samba-client-3.0.25b-1.el5_1.4 samba-3.0.25b-1.el5_1.4 samba-common-3.0.25b-1.el5_1.4 smbldap-tools-0.9.4-1.el5.rf pam_smb-1.1.7-7.2.1 nss_ldap-253-5.el5 compat-openldap-2.3.27_2.2.29-8 openldap-clients-2.3.27-8 openldap-servers-2.3.27-8 openldap-2.3.27-8 openldap-devel-2.3.27-8 My smb.conf [global] unix charset = LOCALE workgroup = MY_DOMAIN.COM server string = SERVER_NAME interfaces = eth0, lo bind interfaces only = Yes passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 6 syslog = 0 log file = /var/log/samba/%m max log size = 1050 smb ports = 139 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = scripts/logon.bat logon path = \\SERVER_NAME.MY_DOMAIN.COM\profiles\%U logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=my_domain,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=People ldap suffix = dc=avatas,dc=com ldap user suffix = ou=People idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind separator = \ winbind cache time = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes map acl inherit = Yes Any help will be greatly appreciated.
Created attachment 3140 [details] computer's samba log This is the log of the actual samba transaction.
Note the output of the following commands : wbinfo -u Error looking up domain users wbinfo -g BUILTIN\users wbinfo -a "userid%password" plaintext password authentication succeeded challenge/response password authentication succeeded wbinfo -D avatas.com Name : AVATAS.COM Alt_Name : SID : S-1-5-21-2953885461-2572836322-187695268 Active Directory : No Native : No Primary : Yes Sequence : -1 wbinfo --get-auth-user AVATAS.COM\ winbind cache time = 10root%verysecret wbinfo -p Ping to winbindd succeeded on fd 4 wbinfo -i userid :*:10000:0::/home/AVATAS.COM/:/bin/false wbinfo --own-domain AVATAS.COM wbinfo -r userid 513 10000 getent passwd | grep -i 10000 userid:x:10000:513:my name goes here:/home/userid:/bin/bash getent group root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon .. .. Domain Admins:*:512:root,userid,user,user,user Domain Users:*:513:userid,user,user Domain Guests:*:514: Domain Computers:*:515: Administrators:*:544:userid,user Account Operators:*:548: Print Operators:*:550: Backup Operators:*:551: Replicators:*:552: Power Users:*:553: Domain Power Users:*:554: shop:*:10001:shop1,userid,user,user Remote Desktop Users:*:555:userid,user,user Users:*:10014:userid,user ... ... [root@lsv-df-dc1 samba]# wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -V Version 3.0.25b-1.el5_1.4 net groupmap list Domain Admins (S-1-5-21-2953885461-2572836322-187695268-512) -> Domain Admins Domain Users (S-1-5-21-2953885461-2572836322-187695268-513) -> Domain Users Domain Guests (S-1-5-21-2953885461-2572836322-187695268-514) -> Domain Guests Domain Computers (S-1-5-21-2953885461-2572836322-187695268-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators Users (S-1-5-32-545) -> 10000 Power Users (S-1-5-21-2953885461-2572836322-187695268-2107) -> Power Users Domain Power Users (S-1-5-21-2953885461-2572836322-187695268-2109) -> Domain Power Users shop (S-1-5-21-2953885461-2572836322-187695268-21003) -> shop Remote Desktop Users (S-1-5-21-2953885461-2572836322-187695268-2111) -> Remote Desktop Users QC Data Importers (S-1-5-21-2953885461-2572836322-187695268-2113) -> QC Data Importers CT Accounting Users (S-1-5-21-2953885461-2572836322-187695268-21029) -> CT Accounting Users FAS Users (S-1-5-21-2953885461-2572836322-187695268-2115) -> FAS Users CT Shared Users (S-1-5-21-2953885461-2572836322-187695268-21023) -> CT Shared Users AV Accounting Users (S-1-5-21-2953885461-2572836322-187695268-2117) -> AV Accounting Users .. .. net rpc group members "shop" Password: AVATAS.COM\shop1 AVATAS.COM\shop2 AVATAS.COM\userid .. .. [root@lsv-df-dc1 samba]# net rpc info -S localhost Password: Domain Name: AVATAS.COM Domain SID: S-1-5-21-2953885461-2572836322-187695268 Sequence number: 1203001771 Num users: 114 Num domain groups: 15 Num local groups: 0 [root@lsv-df-dc1 samba]# net getlocalsid SID for domain LSV-DF-DC1 is: S-1-5-21-2953885461-2572836322-187695268 [root@lsv-df-dc1 samba]# net rpc rights list accounts -S localhost Password: BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Everyone No privileges assigned
Created attachment 3141 [details] Second Computer's Samba log after wbinfo -u and wbinfo -g This log was generated when trying a wbinfo -u and wbinfo -g
may be the same problem as bug 4184. We have the same problem. The problem for us is evidenced by using 'valid users = +UNIXGROUP'. We've tried all documented combinations of + / @ / &, and using 'Unix Group\group', which appear in various internet threads. No success. We have determined that Samba does not appear to care about the unix group. So for instance, if we do 'valid users = +DOMAIN\group' it works as expected, only permitting users of the indicated domain group to access the share. However, using 'valid users = +unixgroup' does not work as expected. What would be expected (as it has worked in the past), is that if a user is a member of 'unixgroup', either by way of their primary group or of their full grouplist, would be able to access the share. Instead, a user can access the share if their primary group is unixgroup, however supplementary grouplist membership is ignored. Also looking for a fix. Our platform is AIX 5.3 TL7 all maint patches. Heimdal krb5 ver 1.1 and openldap current stable. Thanks, Devin Nate
I was just hit by the same problem. I'm using samba3-3.0.31-35 samba3-utils-3.0.31-35 samba3-winbind-3.0.31-35 from sernet on SLES10. My setup is samba as domain member (ADS mode) using idmap backend = ad winbind use default domain = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind nested groups = yes as stated in http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ Now I discovered that valid users = S-1-5-21-2585826257-3449007166-164352979-1145 works as expected. I noticed in the log files the parser is expecting an "S-" value. Is there any progress regarding this bug or more official fixes?
By the Way .. This issue got "carried on" when I applied the suggested patches: I am now @ samba-client-3.0.28-1.el5_2.1 samba-3.0.28-1.el5_2.1 samba-common-3.0.28-1.el5_2.1 (and the issue still exists.)
(In reply to comment #0) > After upgrading from CENTOS4 to CENTOS5 (3.0.11 to 3.0.25b) > Samba can no longer associate the user with its secondary groups. the permission checks became more strict. You have to enter the exact group/user names including the domain name. The SID is also possible.