This bug is present in at least samba-3.0.0 and samba-3.0.0pre1. The symptom is the inability to view the properties of a group which has a user account of the same name via the Windows NT version of the User Manager for Domains. When double-clicking on the group entry, an LDAP search is shown in the logs for the SID matching the user account, instead of using the SID for the group. For example, in the logs attached, you will notice: [2003/10/13 10:45:11, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615) ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(sam baSID=S-1-5-21-2244014245-3637982190-3323613867-2002))] However, the RID 2002 belongs to a user account: # pdbedit3 -L -v -u bgmilne Unix username: bgmilne NT username: bgmilne Account Flags: [U ] User SID: S-1-5-21-2244014245-3637982190-3323613867-2002 Primary Group SID: S-1-5-21-2244014245-3637982190-3323613867-512 Full Name: Buchan Milne Home Directory: \\%N\bgmilne HomeDir Drive: Z: Logon Script: Profile Path: \\cm3-samba3\Profiles\bgmilne Domain: CMDOM Account desc: Workstations: Munged dial: Logon time: Fri, 13 Dec 1901 22:45:51 GMT Logoff time: Fri, 13 Dec 1901 22:45:51 GMT Kickoff time: Fri, 13 Dec 1901 22:45:51 GMT Password last set: Mon, 29 Sep 2003 11:54:34 GMT Password can change: Mon, 29 Sep 2003 11:54:34 GMT Password must change: Mon, 20 Oct 2003 11:54:34 GMT Ths group RID for the group is 2003: # net groupmap list verbose bgmilne SID : S-1-5-21-2244014245-3637982190-3323613867-2003 Unix group: bgmilne Group type: Domain group Comment : (other entries removed) Attached to the bug report is a file containing the section of the log (level 5) from double-clicking on the group entry in User Manager for domains, as well as relevent information on the affected user and all group mappings.
Created attachment 196 [details] Log extracts and user/group details
First line should read: This bug is present in at least samba-3.0.0 and samba-3.0.1pre1.
I don't think this can be fixed since the lookup_name will match the user first. The solution is to name use user private groups. Or at least set the ntgroup name in the mapping entry to be different. Windows doesn't support users and groups sharing the same name. Sorry.
Sorry Jerry, you weren't quite clear (or you made a typo), did you mean that the solution is to _not_ use user private groups? If so, this needs to be documented in the group mapping section of the Samba Howto Collection (AFAIK this issue is not mentioned), considering that many linux distributions default to creating user private groups, and I think this issue will cause a lot of frustration (I think it was causing problems using things like User Manager for Domains for working for a user who is a member of the Domain Admin group but has a user private group).
Sorry, there are two possible solutions. 1) don't use user private groups, or 2) change the display name for the group mapping entry to a unique name so that there is no conflict. This is one of those areas where windows sematintics (no name conflicts) has to take precedence. But you're right, it probably needs some docs.
I wonder if this still should not be considered a bug. Samba knows the restrictions on Windows group/user naming conventions, nothing else is guaranteed to know this (including the Unix-leaning administrator). Should net groupmap or similar not at least warn against adding an ntgroup mapping that matches the uid of a sambaSamAccount user? Since many linux distributions do use user-private groups to do this, and samba complains about missing group mappings for user's primary groups, it is quite likely that many users will fall into this trap ... If it is feasible to prevent this (I don't know if passdb supports the features required for it on all backends), it would be sensible to do so (or at least print a warning).
database cleanup