Bug 8248 - Primary group is missing in the list of SIDs when connecting to AD member Samba from a non-member workstation
Primary group is missing in the list of SIDs when connecting to AD member Sam...
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: User & Group Accounts
All All
: P5 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2011-06-21 13:14 UTC by Andriy Syrovenko
Modified: 2011-06-23 17:56 UTC (History)
0 users

See Also:

Patch that fixed the problem for me (1.02 KB, patch)
2011-06-21 14:49 UTC, Andriy Syrovenko
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andriy Syrovenko 2011-06-21 13:14:13 UTC
I have the following:

- Samba 3.5.9 server joined into AD.
- Domain user whose primary domain group is 'Domain Users'.
- A share on the Samba server with ACL that allows access for the members of the 'Domain Users' group only.

If the user connects to this Samba server from a domain member workstation everything works fine.

But if the user tries to connect to the same server from a standalone workstation (that is not a domain member) he can not access the share. It successfully authorizes on the server, sees the list of available shares, but gets 'Access denied' any time it tries to access the share in question.

I've risen the log level and looked through the logs. From what I've seen there, it seems that Samba looses the user's primary group while building the list of all user's group SIDs.

Patch that fixed the problem for me follows.
Comment 1 Andriy Syrovenko 2011-06-21 14:49:22 UTC
Created attachment 6600 [details]
Patch that fixed the problem for me

The following path fixes the problem for me:

diff -U7 -rN samba-3.5.9.orig/source3/auth/auth_util.c samba-3.5.9/source3/auth/auth_util.c
--- samba-3.5.9.orig/source3/auth/auth_util.c	2011-06-14 14:17:28.000000000 +0300
+++ samba-3.5.9/source3/auth/auth_util.c	2011-06-20 23:31:38.000000000 +0300
@@ -2065,23 +2065,23 @@
 	/* Fill in the unix info we found on the way */
 	result->utok.uid = uid;
 	result->utok.gid = gid;
 	/* Create a 'combined' list of all SIDs we might want in the SD */
-	result->num_sids = info->num_sids - 2;
+	result->num_sids = info->num_sids - 1;
 	result->sids = talloc_array(result, DOM_SID, result->num_sids);
 	if (result->sids == NULL) {
 	for (i=0; i < result->num_sids; i++) {
-		memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
+		memcpy(&result->sids[i], &info->sids[i+1].sid, sizeof(result->sids[i]));
 	/* Ensure the primary group sid is at position 0. */
 	sort_sid_array_for_smbd(result, &group_sid);
 	/* ensure we are never given NULL session keys */

Additionally, the call to the sort_sid_array_for_smbd() function seems to be redundant, but I've left it as is to keep the patch minimal.
Comment 2 Jeremy Allison 2011-06-23 17:56:27 UTC
This has already been fixed in a different way for 3.6.0 and above. Let me examine this to see if it's possible to back-port.