The Samba-Bugzilla – Bug 6681
supplementary group support broken
Last modified: 2017-08-24 18:12:53 UTC
I am running samba bound to a Windows Active Directory domain on some Solaris 10 machines, all the share access is controlled by Unix group membership and the underlying unix paths have group access applied, e.g.:
bash-3.00# ls -las /opt/itgroup/
2 drwxrwx--- 2 root issup 512 Aug 31 16:18 .
2 drwxr-xr-x 9 root sys 512 Aug 31 16:18 ..
The share for the above path in smb.conf looks like:
path = /opt
public = no
writable = no
printable = no
valid users = +itgroup
I am trying to access this share with my account which had the following unix creds:
bash-3.00# id blymn
bash-3.00# groups blymn
itgroup uucp issup mtms logrepor iscleric tmbrlne other sysadm root cmroconv invload smbadmin webtime sysadmin periscop
All the user and group information at the unix level are derived from NIS entries.
So, blymn can, at the unix level can access the directory /opt/itgroup but when running v3.4.0 of samba the windows user blymn cannot access the share mallee-group at all, an access denied error is returned. If I add a NIS netgroup and use the the following:
path = /opt
public = no
writable = no
printable = no
valid users = &admins
Then user blymn can map the share but is then unable to access mallee-netgroup\itgroup folder on a windows machine. If the group of the unix directory is changed to the user's primary group then access works.
It looks like the secondary group membership for the user is not being added to the security context, this is part of the smbd.log at log level 10 when the user tries to access the folder:
[2009/08/31 23:28:52, 3] smbd/process.c:1251(switch_message)
switch message SMBclose (pid 3162) conn 0xcc0180
[2009/08/31 23:28:52, 0] smbd/uid.c:295(change_to_user)
set_sec_ctx: vuser num_groups = 0
[2009/08/31 23:28:52, 0] smbd/uid.c:344(change_to_user)
set_sec_ctx: num_groups = 0
[2009/08/31 23:28:52, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (100, 900) - sec_ctx_stack_ndx = 0
[2009/08/31 23:28:52, 5] auth/token_util.c:528(debug_nt_user_token)
NT user token of user S-1-5-21-515967899-507921405-1177238915-3103
contains 30 SIDs
SID[ 0]: S-1-5-21-515967899-507921405-1177238915-3103
SID[ 1]: S-1-5-21-515967899-507921405-1177238915-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-515967899-507921405-1177238915-40858
SID[ 6]: S-1-5-21-515967899-507921405-1177238915-29407
SID[ 7]: S-1-5-21-515967899-507921405-1177238915-43946
SID[ 8]: S-1-5-21-515967899-507921405-1177238915-19224
SID[ 9]: S-1-5-21-515967899-507921405-1177238915-40907
SID[ 10]: S-1-5-21-515967899-507921405-1177238915-40044
SID[ 11]: S-1-5-21-515967899-507921405-1177238915-40045
SID[ 12]: S-1-5-21-515967899-507921405-1177238915-13873
SID[ 13]: S-1-5-21-515967899-507921405-1177238915-1251
SID[ 14]: S-1-5-21-515967899-507921405-1177238915-39884
SID[ 15]: S-1-5-21-515967899-507921405-1177238915-30072
SID[ 16]: S-1-5-21-515967899-507921405-1177238915-12106
SID[ 17]: S-1-5-21-515967899-507921405-1177238915-1194
SID[ 18]: S-1-5-21-515967899-507921405-1177238915-2660
SID[ 19]: S-1-5-21-515967899-507921405-1177238915-48107
SID[ 20]: S-1-5-21-515967899-507921405-1177238915-44830
SID[ 21]: S-1-5-21-515967899-507921405-1177238915-13946
SID[ 22]: S-1-5-21-515967899-507921405-1177238915-23061
SID[ 23]: S-1-5-21-515967899-507921405-1177238915-50024
SID[ 24]: S-1-5-21-515967899-507921405-1177238915-3148
SID[ 25]: S-1-5-21-515967899-507921405-1177238915-1248
SID[ 26]: S-1-5-21-515967899-507921405-1177238915-8225
SID[ 27]: S-1-5-21-515967899-507921405-1177238915-14913
SID[ 28]: S-1-5-21-515967899-507921405-1177238915-14021
SID[ 29]: S-1-22-1-100
SE_PRIV 0x0 0x0 0x0 0x0
[2009/08/31 23:28:52, 5] auth/token_util.c:548(debug_unix_user_token)
UNIX token of user 100
Primary group is 900 and contains 0 supplementary groups
[2009/08/31 23:28:52, 5] smbd/uid.c:356(change_to_user)
change_to_user uid=(0,100) gid=(0,900)
[2009/08/31 23:28:52, 3] smbd/reply.c:4444(reply_close)
close directory fnum=4195
Note the number of supplementary groups for the UNIX user. If I use the smbd provided by Sun (v3.0.33) with the v3.4.0 versions of winbindd and nmbd then access to the share works fine.
This is my issue !
Can you add a "username map" file, mapping
blymn = blymn
i.e. just as identities?
There is no username map - the windows username maps directly to the unix username. i.e. blymn on windows = blymn on unix.
I know. I'm asking because an identity username map has an effect: It dumps the NT token and gets the group info from nsswitch.
Ah, I see what you mean. If I have a username map file with:
blymn = AU\blymn
in it then the supplementary groups come through (we are using ADS
I suppose this is not a good place to ask this but is there a way of
wildcarding the lhs and rhs on that? We have about 5000 users spread over a
couple of AD domains so creating mappings for each one that potentially access
the shares is going to be.... laborious.
All the examples I can find seem to indicate you cannot wildcard the lhs.
No wildcards yet, sorry. Should be relatively simple to implement. I'll take this bug to my list of right now >80 bugs :-)
these days samba has "username map script" to do something like wildcard mapping.