Bug 609 - With ldapsam, if a group exists matching a user account, samba looks up group using the user SID
With ldapsam, if a group exists matching a user account, samba looks up group...
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
All Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Depends on:
  Show dependency treegraph
Reported: 2003-10-13 08:15 UTC by Buchan Milne
Modified: 2005-11-14 09:28 UTC (History)
2 users (show)

See Also:

Log extracts and user/group details (14.19 KB, text/plain)
2003-10-13 08:17 UTC, Buchan Milne
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Buchan Milne 2003-10-13 08:15:18 UTC
This bug is present in at least samba-3.0.0 and samba-3.0.0pre1.

The symptom is the inability to view the properties of a group which has a user
account of the same name via the Windows NT version of the User Manager for
Domains. When double-clicking on the group entry, an LDAP search is shown in the
logs for the SID matching the user account, instead of using the SID for the group.

For example, in the logs attached, you will notice:
[2003/10/13 10:45:11, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615)
  ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(sam

However, the RID 2002 belongs to a user account:
# pdbedit3 -L -v -u bgmilne
Unix username:        bgmilne
NT username:          bgmilne
Account Flags:        [U          ]
User SID:             S-1-5-21-2244014245-3637982190-3323613867-2002
Primary Group SID:    S-1-5-21-2244014245-3637982190-3323613867-512
Full Name:            Buchan Milne
Home Directory:       \\%N\bgmilne
HomeDir Drive:        Z:
Logon Script:
Profile Path:         \\cm3-samba3\Profiles\bgmilne
Domain:               CMDOM
Account desc:
Munged dial:
Logon time:           Fri, 13 Dec 1901 22:45:51 GMT
Logoff time:          Fri, 13 Dec 1901 22:45:51 GMT
Kickoff time:         Fri, 13 Dec 1901 22:45:51 GMT
Password last set:    Mon, 29 Sep 2003 11:54:34 GMT
Password can change:  Mon, 29 Sep 2003 11:54:34 GMT
Password must change: Mon, 20 Oct 2003 11:54:34 GMT

Ths group RID for the group is 2003:
# net groupmap list verbose

        SID       : S-1-5-21-2244014245-3637982190-3323613867-2003
        Unix group: bgmilne
        Group type: Domain group
        Comment   :
(other entries removed)

Attached to the bug report is a file containing the section of the log (level 5)
from double-clicking on the group entry in User Manager for domains, as well as
relevent information on the affected user and all group mappings.
Comment 1 Buchan Milne 2003-10-13 08:17:01 UTC
Created attachment 196 [details]
Log extracts and user/group details
Comment 2 Buchan Milne 2003-10-13 15:15:34 UTC
First line should read:
This bug is present in at least samba-3.0.0 and samba-3.0.1pre1.
Comment 3 Gerald (Jerry) Carter 2003-11-04 20:45:23 UTC
I don't think this can be fixed since the lookup_name
will match the user first.  The solution is to name use 
user private groups.  Or at least set the ntgroup name
in the mapping entry to be different.  Windows doesn't 
support users and groups sharing the same name.
Comment 4 Buchan Milne 2003-11-05 02:24:43 UTC
Sorry Jerry, you weren't quite clear (or you made a typo), did you mean that the
solution is to _not_ use user private groups?

If so, this needs to be documented in the group mapping section of the Samba
Howto Collection (AFAIK this issue is not mentioned), considering that many
linux distributions default to creating user private groups, and I think this
issue will cause a lot of frustration (I think it was causing problems using
things like User Manager for Domains for working for a user who is a member of
the Domain Admin group but has a user private group).
Comment 5 Gerald (Jerry) Carter 2003-11-05 06:17:46 UTC
Sorry, there are two possible solutions.

  1) don't use user private groups, or
  2) change the display name for the group mapping 
     entry to a unique name so that there is no conflict.

This is one of those areas where windows sematintics 
(no name conflicts) has to take precedence.  But you're right, 
it probably needs some docs.
Comment 6 Buchan Milne 2003-11-06 09:18:43 UTC
I wonder if this still should not be considered a bug.

Samba knows the restrictions on Windows group/user naming conventions, nothing
else is guaranteed to know this (including the Unix-leaning administrator).

Should net groupmap or similar not at least warn against adding an ntgroup
mapping that matches the uid of a sambaSamAccount user?

Since many linux distributions do use user-private groups to do this, and samba
complains about missing group mappings for user's primary groups, it is quite
likely that many users will fall into this trap ...

If it is feasible to prevent this (I don't know if passdb supports the features
required for it on all backends), it would be sensible to do so (or at least
print a warning).
Comment 7 Gerald (Jerry) Carter 2005-11-14 09:28:58 UTC
database cleanup