The Samba-Bugzilla – Bug 609
With ldapsam, if a group exists matching a user account, samba looks up group using the user SID
Last modified: 2005-11-14 09:28:58 UTC
This bug is present in at least samba-3.0.0 and samba-3.0.0pre1.
The symptom is the inability to view the properties of a group which has a user
account of the same name via the Windows NT version of the User Manager for
Domains. When double-clicking on the group entry, an LDAP search is shown in the
logs for the SID matching the user account, instead of using the SID for the group.
For example, in the logs attached, you will notice:
[2003/10/13 10:45:11, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615)
ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(sam
However, the RID 2002 belongs to a user account:
# pdbedit3 -L -v -u bgmilne
Unix username: bgmilne
NT username: bgmilne
Account Flags: [U ]
User SID: S-1-5-21-2244014245-3637982190-3323613867-2002
Primary Group SID: S-1-5-21-2244014245-3637982190-3323613867-512
Full Name: Buchan Milne
Home Directory: \\%N\bgmilne
HomeDir Drive: Z:
Profile Path: \\cm3-samba3\Profiles\bgmilne
Logon time: Fri, 13 Dec 1901 22:45:51 GMT
Logoff time: Fri, 13 Dec 1901 22:45:51 GMT
Kickoff time: Fri, 13 Dec 1901 22:45:51 GMT
Password last set: Mon, 29 Sep 2003 11:54:34 GMT
Password can change: Mon, 29 Sep 2003 11:54:34 GMT
Password must change: Mon, 20 Oct 2003 11:54:34 GMT
Ths group RID for the group is 2003:
# net groupmap list verbose
SID : S-1-5-21-2244014245-3637982190-3323613867-2003
Unix group: bgmilne
Group type: Domain group
(other entries removed)
Attached to the bug report is a file containing the section of the log (level 5)
from double-clicking on the group entry in User Manager for domains, as well as
relevent information on the affected user and all group mappings.
Created attachment 196 [details]
Log extracts and user/group details
First line should read:
This bug is present in at least samba-3.0.0 and samba-3.0.1pre1.
I don't think this can be fixed since the lookup_name
will match the user first. The solution is to name use
user private groups. Or at least set the ntgroup name
in the mapping entry to be different. Windows doesn't
support users and groups sharing the same name.
Sorry Jerry, you weren't quite clear (or you made a typo), did you mean that the
solution is to _not_ use user private groups?
If so, this needs to be documented in the group mapping section of the Samba
Howto Collection (AFAIK this issue is not mentioned), considering that many
linux distributions default to creating user private groups, and I think this
issue will cause a lot of frustration (I think it was causing problems using
things like User Manager for Domains for working for a user who is a member of
the Domain Admin group but has a user private group).
Sorry, there are two possible solutions.
1) don't use user private groups, or
2) change the display name for the group mapping
entry to a unique name so that there is no conflict.
This is one of those areas where windows sematintics
(no name conflicts) has to take precedence. But you're right,
it probably needs some docs.
I wonder if this still should not be considered a bug.
Samba knows the restrictions on Windows group/user naming conventions, nothing
else is guaranteed to know this (including the Unix-leaning administrator).
Should net groupmap or similar not at least warn against adding an ntgroup
mapping that matches the uid of a sambaSamAccount user?
Since many linux distributions do use user-private groups to do this, and samba
complains about missing group mappings for user's primary groups, it is quite
likely that many users will fall into this trap ...
If it is feasible to prevent this (I don't know if passdb supports the features
required for it on all backends), it would be sensible to do so (or at least
print a warning).