Bug 8455 - Samba PDC is looking up only primary user group
Samba PDC is looking up only primary user group
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts
3.6.0
All All
: P5 regression
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
: 8510 (view as bug list)
Depends on:
Blocks: 8399
  Show dependency treegraph
 
Reported: 2011-09-14 07:16 UTC by Bogdan Shmorgun
Modified: 2011-10-18 22:01 UTC (History)
3 users (show)

See Also:


Attachments
Patch (1.58 KB, patch)
2011-09-16 13:49 UTC, Volker Lendecke
idra: review+
Details
Log file of login session. (297.16 KB, application/octet-stream)
2011-09-19 12:30 UTC, Vlad Martynovsky
no flags Details
Other debug info. (953 bytes, text/plain)
2011-09-19 12:30 UTC, Vlad Martynovsky
no flags Details
Patch to fix the uninitialized memory problem (908 bytes, patch)
2011-10-17 19:29 UTC, Wilco Baan Hofman
no flags Details
git-am fix for 3.6.1 (1016 bytes, patch)
2011-10-17 22:28 UTC, Jeremy Allison
metze: review+
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bogdan Shmorgun 2011-09-14 07:16:14 UTC
We have a Domain where Samba 3.6 on FreeBSD server acting as PDC
All information stored in OpenLdap
We have a Windows 2003 file server acting as domain member
We have a file share Test on Windows file server with permission to domain group Test 
If a user primary group is set to Test (gidNumber attrbute in LDAP user attributes) user have permission to this share, otherwise not.
User is member of Test group all time.
wbinfo adn debug log levels show no errors, wbinfo --user-groups=user correctly show all user groups ids
Also Domain Admins group members doesn't have admin privileges in domain except member gidNumber attrbute in LDAP user tree set to Domain Admins group uid
Samba config attached
Comment 1 Volker Lendecke 2011-09-16 13:49:55 UTC
Created attachment 6897 [details]
Patch

Can you try the attached patch?

Thanks,

Volker
Comment 2 Simo Sorce 2011-09-16 18:45:27 UTC
Comment on attachment 6897 [details]
Patch

Obviously correct, please push to all relevant trees
Comment 3 Volker Lendecke 2011-09-16 22:34:37 UTC
Got private email that this patch did not help. Please upload the relevant info here. Thanks.
Comment 4 Vlad Martynovsky 2011-09-19 12:28:57 UTC
Hello Volker,

first of all, thank you very match for your attention
to current problem! We had a large jump with upgrade 
from 3.0.23 to 3.6.0 and now we stuck on a half way.

Now I want to inform you that your patch had no positive effect. I attaching some logs with debug == 10. Its logon session to Windows 2003 server, where user == v.martynovsky should have access from domain group "Domain Admins", but it fails if he has other primary group.

From LDAP DB "primary group" for this user was nonexistent group with gid "500". If I changing gid to "512" <--> "Domain Admins" then user get access.

Feel free if other debug info needed.
Comment 5 Vlad Martynovsky 2011-09-19 12:30:12 UTC
Created attachment 6912 [details]
Log file of login session.
Comment 6 Vlad Martynovsky 2011-09-19 12:30:56 UTC
Created attachment 6913 [details]
Other debug info.
Comment 7 Volker Lendecke 2011-09-19 17:53:03 UTC
(In reply to comment #5)
> Created attachment 6912 [details]
> Log file of login session.

There *is* a difference. This snipped would not have shown up in the unpatched version. The 570961776 is just wrong.

                                          rids: struct samr_RidWithAttribute
                                              rid                      : 0x22082f70 (570961776)
                                              attributes               : 0x22082f40 (570961728)
                                                     0: SE_GROUP_MANDATORY

Can you get us a network trace of the LDAP traffic from the DC to the LDAP server? If that does not reveal anything, we will have to extend Samba with a lot more debugging or you need someone to get on site to run that through a debugger.

Volker
Comment 8 Karolin Seeger 2011-09-19 19:38:26 UTC
Re-assigning to Volker.
Comment 9 Wilco Baan Hofman 2011-10-13 13:49:31 UTC
*** Bug 8510 has been marked as a duplicate of this bug. ***
Comment 10 Wilco Baan Hofman 2011-10-13 13:57:17 UTC
I had the same issue with samba 3.6.0, Volker's patch fixed it for me.
Comment 11 Jeremy Allison 2011-10-13 19:17:11 UTC
arolin, please:

git cherry-pick -x 3dcec44f3edbc9c4f1946ead3480f6d01cd53e7a

from for 3.6.1.

This has been reviewed by Simo and has already gone into master (as the above git ref).

Somehow it got missed for 3.6.1.

Thanks !

Jeremy.
Comment 12 Karolin Seeger 2011-10-15 17:48:50 UTC
Pushed to v3-6-test.
Closing out bug report.

Please feel free to re-open if it's still an issue.

Thanks!
Comment 13 Wilco Baan Hofman 2011-10-17 17:17:28 UTC
I'm hitting the corruption bug now as well with Windows XP/2003 logons. 

The empty groups in 2008 was fixed by volkers patch, but there is still a problem in that code.
Comment 14 Karolin Seeger 2011-10-17 18:23:03 UTC
(In reply to comment #13)
> I'm hitting the corruption bug now as well with Windows XP/2003 logons. 
> 
> The empty groups in 2008 was fixed by volkers patch, but there is still a
> problem in that code.

So this bug report should be re-opened?
Or would a new bug report make more sense?
Comment 15 Wilco Baan Hofman 2011-10-17 19:29:16 UTC
Created attachment 7005 [details]
Patch to fix the uninitialized memory problem

Traced the bug to an invalid counter, this should fix it.
Comment 16 Wilco Baan Hofman 2011-10-17 19:34:31 UTC
Karolin, 

This bug needs to be reopened and a team member should review the patch I just attached so that it can be included in 3.6.1.

Thanks!

Wilco
Comment 17 Jeremy Allison 2011-10-17 20:02:43 UTC
New patch is completely correct. Re-opening to get this in for 3.6.1 (it is a blocker).
Jeremy.
Comment 18 Jeremy Allison 2011-10-17 20:09:57 UTC
Patch going through autobuild now. Will update with the correct git ref once it's done.

Thanks !

Jeremy.
Comment 19 Jeremy Allison 2011-10-17 22:28:15 UTC
Created attachment 7007 [details]
git-am fix for 3.6.1

This is what got added to master. Metze please review asap as this one is a blocker for 3.6.1.
Comment 20 Stefan Metzmacher 2011-10-18 07:54:50 UTC
Comment on attachment 7007 [details]
git-am fix for 3.6.1

Looks, good
Comment 21 Stefan Metzmacher 2011-10-18 08:13:02 UTC
Karolin, please add cherry-pick information to the commit message and pick it for the next possible release
Comment 22 Karolin Seeger 2011-10-18 17:56:23 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks a lot, Wilco!
Comment 23 Michael Adam 2011-10-18 21:38:50 UTC
Comment on attachment 7007 [details]
git-am fix for 3.6.1

ack
Comment 24 Michael Adam 2011-10-18 21:40:02 UTC
oops, too late, the party is already over...
Comment 25 Guenther Deschner 2011-10-18 21:42:49 UTC
This, IMHO, is a bad decision. Shipping with a known and fixed critical issue that makes samba not useable in a customer scenario, only in order to stick with a release procedure...
Comment 26 Guenther Deschner 2011-10-18 21:44:23 UTC
(In reply to comment #25)
> This, IMHO, is a bad decision. Shipping with a known and fixed critical issue
> that makes samba not useable in a customer scenario, only in order to stick
> with a release procedure...

Wait, did I got this wrong ? If we shipped this for 3.6.1 I take back everything :-)
Comment 27 Jeremy Allison 2011-10-18 21:44:44 UTC
Guenther, I think you missed the point of Michaels comment. It's already in and will ship in 3.6.1.

When he said "the party is already over" he meant that metze's review was enough and his wasn't needed to get the bug in the release :-).

Jeremy.
Comment 28 Michael Adam 2011-10-18 22:01:32 UTC
(In reply to comment #25)
> This, IMHO, is a bad decision. Shipping with a known and fixed critical issue
> that makes samba not useable in a customer scenario, only in order to stick
> with a release procedure...

I meant too late in that this has already been ACKed by metze and pushed by
Karo when I gave my ack. :-)