I am running samba bound to a Windows Active Directory domain on some Solaris 10 machines, all the share access is controlled by Unix group membership and the underlying unix paths have group access applied, e.g.: bash-3.00# ls -las /opt/itgroup/ total 4 2 drwxrwx--- 2 root issup 512 Aug 31 16:18 . 2 drwxr-xr-x 9 root sys 512 Aug 31 16:18 .. The share for the above path in smb.conf looks like: [mallee-group] path = /opt public = no writable = no printable = no valid users = +itgroup I am trying to access this share with my account which had the following unix creds: bash-3.00# id blymn uid=100(blymn) gid=900(itgroup) bash-3.00# groups blymn itgroup uucp issup mtms logrepor iscleric tmbrlne other sysadm root cmroconv invload smbadmin webtime sysadmin periscop All the user and group information at the unix level are derived from NIS entries. So, blymn can, at the unix level can access the directory /opt/itgroup but when running v3.4.0 of samba the windows user blymn cannot access the share mallee-group at all, an access denied error is returned. If I add a NIS netgroup and use the the following: [mallee-netgroup] path = /opt public = no writable = no printable = no valid users = &admins Then user blymn can map the share but is then unable to access mallee-netgroup\itgroup folder on a windows machine. If the group of the unix directory is changed to the user's primary group then access works. It looks like the secondary group membership for the user is not being added to the security context, this is part of the smbd.log at log level 10 when the user tries to access the folder: [2009/08/31 23:28:52, 3] smbd/process.c:1251(switch_message) switch message SMBclose (pid 3162) conn 0xcc0180 [2009/08/31 23:28:52, 0] smbd/uid.c:295(change_to_user) set_sec_ctx: vuser num_groups = 0 [2009/08/31 23:28:52, 0] smbd/uid.c:344(change_to_user) set_sec_ctx: num_groups = 0 [2009/08/31 23:28:52, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (100, 900) - sec_ctx_stack_ndx = 0 [2009/08/31 23:28:52, 5] auth/token_util.c:528(debug_nt_user_token) NT user token of user S-1-5-21-515967899-507921405-1177238915-3103 contains 30 SIDs SID[ 0]: S-1-5-21-515967899-507921405-1177238915-3103 SID[ 1]: S-1-5-21-515967899-507921405-1177238915-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-515967899-507921405-1177238915-40858 SID[ 6]: S-1-5-21-515967899-507921405-1177238915-29407 SID[ 7]: S-1-5-21-515967899-507921405-1177238915-43946 SID[ 8]: S-1-5-21-515967899-507921405-1177238915-19224 SID[ 9]: S-1-5-21-515967899-507921405-1177238915-40907 SID[ 10]: S-1-5-21-515967899-507921405-1177238915-40044 SID[ 11]: S-1-5-21-515967899-507921405-1177238915-40045 SID[ 12]: S-1-5-21-515967899-507921405-1177238915-13873 SID[ 13]: S-1-5-21-515967899-507921405-1177238915-1251 SID[ 14]: S-1-5-21-515967899-507921405-1177238915-39884 SID[ 15]: S-1-5-21-515967899-507921405-1177238915-30072 SID[ 16]: S-1-5-21-515967899-507921405-1177238915-12106 SID[ 17]: S-1-5-21-515967899-507921405-1177238915-1194 SID[ 18]: S-1-5-21-515967899-507921405-1177238915-2660 SID[ 19]: S-1-5-21-515967899-507921405-1177238915-48107 SID[ 20]: S-1-5-21-515967899-507921405-1177238915-44830 SID[ 21]: S-1-5-21-515967899-507921405-1177238915-13946 SID[ 22]: S-1-5-21-515967899-507921405-1177238915-23061 SID[ 23]: S-1-5-21-515967899-507921405-1177238915-50024 SID[ 24]: S-1-5-21-515967899-507921405-1177238915-3148 SID[ 25]: S-1-5-21-515967899-507921405-1177238915-1248 SID[ 26]: S-1-5-21-515967899-507921405-1177238915-8225 SID[ 27]: S-1-5-21-515967899-507921405-1177238915-14913 SID[ 28]: S-1-5-21-515967899-507921405-1177238915-14021 SID[ 29]: S-1-22-1-100 SE_PRIV 0x0 0x0 0x0 0x0 [2009/08/31 23:28:52, 5] auth/token_util.c:548(debug_unix_user_token) UNIX token of user 100 Primary group is 900 and contains 0 supplementary groups [2009/08/31 23:28:52, 5] smbd/uid.c:356(change_to_user) change_to_user uid=(0,100) gid=(0,900) [2009/08/31 23:28:52, 3] smbd/reply.c:4444(reply_close) close directory fnum=4195 Note the number of supplementary groups for the UNIX user. If I use the smbd provided by Sun (v3.0.33) with the v3.4.0 versions of winbindd and nmbd then access to the share works fine.
This is my issue !
Can you add a "username map" file, mapping blymn = blymn i.e. just as identities? Volker
There is no username map - the windows username maps directly to the unix username. i.e. blymn on windows = blymn on unix.
I know. I'm asking because an identity username map has an effect: It dumps the NT token and gets the group info from nsswitch. Volker
Ah, I see what you mean. If I have a username map file with: blymn = AU\blymn in it then the supplementary groups come through (we are using ADS authentication) I suppose this is not a good place to ask this but is there a way of wildcarding the lhs and rhs on that? We have about 5000 users spread over a couple of AD domains so creating mappings for each one that potentially access the shares is going to be.... laborious. All the examples I can find seem to indicate you cannot wildcard the lhs.
No wildcards yet, sorry. Should be relatively simple to implement. I'll take this bug to my list of right now >80 bugs :-) Volker
these days samba has "username map script" to do something like wildcard mapping.