8248 – Primary group is missing in the list of SIDs when connecting to AD member Samba from a non-member workstation

Bug 8248 - Primary group is missing in the list of SIDs when connecting to AD member Samba from a non-member workstation

Summary: Primary group is missing in the list of SIDs when connecting to AD member Sam...

Status:	NEW

Alias:	None

Product:	Samba 3.5
Classification:	Unclassified
Component:	User & Group Accounts (show other bugs)
Version:	3.5.9
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-06-21 13:14 UTC by Andriy Syrovenko
Modified:	2011-06-23 17:56 UTC (History)
CC List:	0 users

See Also:

Attachments
Patch that fixed the problem for me (1.02 KB, patch) 2011-06-21 14:49 UTC, Andriy Syrovenko	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andriy Syrovenko 2011-06-21 13:14:13 UTC

I have the following:

- Samba 3.5.9 server joined into AD.
- Domain user whose primary domain group is 'Domain Users'.
- A share on the Samba server with ACL that allows access for the members of the 'Domain Users' group only.

If the user connects to this Samba server from a domain member workstation everything works fine.

But if the user tries to connect to the same server from a standalone workstation (that is not a domain member) he can not access the share. It successfully authorizes on the server, sees the list of available shares, but gets 'Access denied' any time it tries to access the share in question.

I've risen the log level and looked through the logs. From what I've seen there, it seems that Samba looses the user's primary group while building the list of all user's group SIDs.

Patch that fixed the problem for me follows.

Comment 1 Andriy Syrovenko 2011-06-21 14:49:22 UTC

Created attachment 6600 [details]
Patch that fixed the problem for me

The following path fixes the problem for me:

diff -U7 -rN samba-3.5.9.orig/source3/auth/auth_util.c samba-3.5.9/source3/auth/auth_util.c
--- samba-3.5.9.orig/source3/auth/auth_util.c	2011-06-14 14:17:28.000000000 +0300
+++ samba-3.5.9/source3/auth/auth_util.c	2011-06-20 23:31:38.000000000 +0300
@@ -2065,23 +2065,23 @@
 	/* Fill in the unix info we found on the way */
 
 	result->utok.uid = uid;
 	result->utok.gid = gid;
 
 	/* Create a 'combined' list of all SIDs we might want in the SD */
 
-	result->num_sids = info->num_sids - 2;
+	result->num_sids = info->num_sids - 1;
 	result->sids = talloc_array(result, DOM_SID, result->num_sids);
 	if (result->sids == NULL) {
 		TALLOC_FREE(result);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	for (i=0; i < result->num_sids; i++) {
-		memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
+		memcpy(&result->sids[i], &info->sids[i+1].sid, sizeof(result->sids[i]));
 	}
 
 	/* Ensure the primary group sid is at position 0. */
 	sort_sid_array_for_smbd(result, &group_sid);
 
 	/* ensure we are never given NULL session keys */
 


Additionally, the call to the sort_sid_array_for_smbd() function seems to be redundant, but I've left it as is to keep the patch minimal.

Comment 2 Jeremy Allison 2011-06-23 17:56:27 UTC

This has already been fixed in a different way for 3.6.0 and above. Let me examine this to see if it's possible to back-port.

Jeremy.