I have the following: - Samba 3.5.9 server joined into AD. - Domain user whose primary domain group is 'Domain Users'. - A share on the Samba server with ACL that allows access for the members of the 'Domain Users' group only. If the user connects to this Samba server from a domain member workstation everything works fine. But if the user tries to connect to the same server from a standalone workstation (that is not a domain member) he can not access the share. It successfully authorizes on the server, sees the list of available shares, but gets 'Access denied' any time it tries to access the share in question. I've risen the log level and looked through the logs. From what I've seen there, it seems that Samba looses the user's primary group while building the list of all user's group SIDs. Patch that fixed the problem for me follows.
Created attachment 6600 [details] Patch that fixed the problem for me The following path fixes the problem for me: diff -U7 -rN samba-3.5.9.orig/source3/auth/auth_util.c samba-3.5.9/source3/auth/auth_util.c --- samba-3.5.9.orig/source3/auth/auth_util.c 2011-06-14 14:17:28.000000000 +0300 +++ samba-3.5.9/source3/auth/auth_util.c 2011-06-20 23:31:38.000000000 +0300 @@ -2065,23 +2065,23 @@ /* Fill in the unix info we found on the way */ result->utok.uid = uid; result->utok.gid = gid; /* Create a 'combined' list of all SIDs we might want in the SD */ - result->num_sids = info->num_sids - 2; + result->num_sids = info->num_sids - 1; result->sids = talloc_array(result, DOM_SID, result->num_sids); if (result->sids == NULL) { TALLOC_FREE(result); return NT_STATUS_NO_MEMORY; } for (i=0; i < result->num_sids; i++) { - memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i])); + memcpy(&result->sids[i], &info->sids[i+1].sid, sizeof(result->sids[i])); } /* Ensure the primary group sid is at position 0. */ sort_sid_array_for_smbd(result, &group_sid); /* ensure we are never given NULL session keys */ Additionally, the call to the sort_sid_array_for_smbd() function seems to be redundant, but I've left it as is to keep the patch minimal.
This has already been fixed in a different way for 3.6.0 and above. Let me examine this to see if it's possible to back-port. Jeremy.