Bug 6681 - supplementary group support broken
supplementary group support broken
Status: NEW
Product: Samba 3.4
Classification: Unclassified
Component: User & Group Accounts
3.4.0
Sparc Solaris
: P3 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-31 20:54 UTC by Brett Lymn
Modified: 2015-12-02 18:10 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brett Lymn 2009-08-31 20:54:32 UTC
I am running samba bound to a Windows Active Directory domain on some Solaris 10 machines, all the share access is controlled by Unix group membership and the underlying unix paths have group access applied, e.g.:

bash-3.00# ls -las /opt/itgroup/
total 4
   2 drwxrwx---   2 root     issup        512 Aug 31 16:18 .
   2 drwxr-xr-x   9 root     sys          512 Aug 31 16:18 ..

The share for the above path in smb.conf looks like:

[mallee-group]
   path = /opt
   public = no
   writable = no
   printable = no
   valid users = +itgroup

I am trying to access this share with my account which had the following unix creds:

bash-3.00# id blymn
uid=100(blymn) gid=900(itgroup)
bash-3.00# groups blymn
itgroup uucp issup mtms logrepor iscleric tmbrlne other sysadm root cmroconv invload smbadmin webtime sysadmin periscop

All the user and group information at the unix level are derived from NIS entries.

So, blymn can, at the unix level can access the directory /opt/itgroup but when running v3.4.0 of samba the windows user blymn cannot access the share mallee-group at all, an access denied error is returned.  If I add a NIS netgroup and use the the following:

[mallee-netgroup]
   path = /opt
   public = no
   writable = no
   printable = no
   valid users = &admins

Then user blymn can map the share but is then unable to access mallee-netgroup\itgroup folder on a windows machine.  If the group of the unix directory is changed to the user's primary group then access works.

It looks like the secondary group membership for the user is not being added to the security context, this is part of the smbd.log at log level 10 when the user tries to access the folder:

[2009/08/31 23:28:52,  3] smbd/process.c:1251(switch_message)
  switch message SMBclose (pid 3162) conn 0xcc0180
[2009/08/31 23:28:52,  0] smbd/uid.c:295(change_to_user)
  set_sec_ctx: vuser num_groups = 0
[2009/08/31 23:28:52,  0] smbd/uid.c:344(change_to_user)
  set_sec_ctx: num_groups = 0
[2009/08/31 23:28:52,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (100, 900) - sec_ctx_stack_ndx = 0
[2009/08/31 23:28:52,  5] auth/token_util.c:528(debug_nt_user_token)
  NT user token of user S-1-5-21-515967899-507921405-1177238915-3103
  contains 30 SIDs
  SID[  0]: S-1-5-21-515967899-507921405-1177238915-3103
  SID[  1]: S-1-5-21-515967899-507921405-1177238915-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-515967899-507921405-1177238915-40858
  SID[  6]: S-1-5-21-515967899-507921405-1177238915-29407
  SID[  7]: S-1-5-21-515967899-507921405-1177238915-43946
  SID[  8]: S-1-5-21-515967899-507921405-1177238915-19224
  SID[  9]: S-1-5-21-515967899-507921405-1177238915-40907
  SID[ 10]: S-1-5-21-515967899-507921405-1177238915-40044
  SID[ 11]: S-1-5-21-515967899-507921405-1177238915-40045
  SID[ 12]: S-1-5-21-515967899-507921405-1177238915-13873
  SID[ 13]: S-1-5-21-515967899-507921405-1177238915-1251
  SID[ 14]: S-1-5-21-515967899-507921405-1177238915-39884
  SID[ 15]: S-1-5-21-515967899-507921405-1177238915-30072
  SID[ 16]: S-1-5-21-515967899-507921405-1177238915-12106
  SID[ 17]: S-1-5-21-515967899-507921405-1177238915-1194
  SID[ 18]: S-1-5-21-515967899-507921405-1177238915-2660
  SID[ 19]: S-1-5-21-515967899-507921405-1177238915-48107
  SID[ 20]: S-1-5-21-515967899-507921405-1177238915-44830
  SID[ 21]: S-1-5-21-515967899-507921405-1177238915-13946
  SID[ 22]: S-1-5-21-515967899-507921405-1177238915-23061
  SID[ 23]: S-1-5-21-515967899-507921405-1177238915-50024
  SID[ 24]: S-1-5-21-515967899-507921405-1177238915-3148
  SID[ 25]: S-1-5-21-515967899-507921405-1177238915-1248
  SID[ 26]: S-1-5-21-515967899-507921405-1177238915-8225
  SID[ 27]: S-1-5-21-515967899-507921405-1177238915-14913
  SID[ 28]: S-1-5-21-515967899-507921405-1177238915-14021
  SID[ 29]: S-1-22-1-100
  SE_PRIV  0x0 0x0 0x0 0x0
[2009/08/31 23:28:52,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 100
  Primary group is 900 and contains 0 supplementary groups
[2009/08/31 23:28:52,  5] smbd/uid.c:356(change_to_user)
  change_to_user uid=(0,100) gid=(0,900)
[2009/08/31 23:28:52,  3] smbd/reply.c:4444(reply_close)
  close directory fnum=4195

Note the number of supplementary groups for the UNIX user.  If I use the smbd provided by Sun (v3.0.33) with the v3.4.0 versions of winbindd and nmbd then access to the share works fine.
Comment 1 Nicolas Dorfsman (mail address dead) 2009-12-01 13:51:39 UTC
This is my issue !
Comment 2 Volker Lendecke 2009-12-01 16:28:41 UTC
Can you add a "username map" file, mapping 

blymn = blymn

i.e. just as identities?

Volker
Comment 3 Brett Lymn 2009-12-01 17:02:45 UTC
There is no username map - the windows username maps directly to the unix username.  i.e. blymn on windows = blymn on unix.
Comment 4 Volker Lendecke 2009-12-01 17:04:03 UTC
I know. I'm asking because an identity username map has an effect: It dumps the NT token and gets the group info from nsswitch.

Volker
Comment 5 Brett Lymn 2009-12-01 18:49:36 UTC
Ah, I see what you mean.  If I have a username map file with:

blymn = AU\blymn

in it then the supplementary groups come through (we are using ADS
authentication)

I suppose this is not a good place to ask this but is there a way of
wildcarding the lhs and rhs on that?  We have about 5000 users spread over a
couple of AD domains so creating mappings for each one that potentially access
the shares is going to be.... laborious.

All the examples I can find seem to indicate you cannot wildcard the lhs.
Comment 6 Volker Lendecke 2009-12-02 01:35:28 UTC
No wildcards yet, sorry. Should be relatively simple to implement. I'll take this bug to my list of right now >80 bugs :-)

Volker