We have a Domain where Samba 3.6 on FreeBSD server acting as PDC All information stored in OpenLdap We have a Windows 2003 file server acting as domain member We have a file share Test on Windows file server with permission to domain group Test If a user primary group is set to Test (gidNumber attrbute in LDAP user attributes) user have permission to this share, otherwise not. User is member of Test group all time. wbinfo adn debug log levels show no errors, wbinfo --user-groups=user correctly show all user groups ids Also Domain Admins group members doesn't have admin privileges in domain except member gidNumber attrbute in LDAP user tree set to Domain Admins group uid Samba config attached
Created attachment 6897 [details] Patch Can you try the attached patch? Thanks, Volker
Comment on attachment 6897 [details] Patch Obviously correct, please push to all relevant trees
Got private email that this patch did not help. Please upload the relevant info here. Thanks.
Hello Volker, first of all, thank you very match for your attention to current problem! We had a large jump with upgrade from 3.0.23 to 3.6.0 and now we stuck on a half way. Now I want to inform you that your patch had no positive effect. I attaching some logs with debug == 10. Its logon session to Windows 2003 server, where user == v.martynovsky should have access from domain group "Domain Admins", but it fails if he has other primary group. From LDAP DB "primary group" for this user was nonexistent group with gid "500". If I changing gid to "512" <--> "Domain Admins" then user get access. Feel free if other debug info needed.
Created attachment 6912 [details] Log file of login session.
Created attachment 6913 [details] Other debug info.
(In reply to comment #5) > Created attachment 6912 [details] > Log file of login session. There *is* a difference. This snipped would not have shown up in the unpatched version. The 570961776 is just wrong. rids: struct samr_RidWithAttribute rid : 0x22082f70 (570961776) attributes : 0x22082f40 (570961728) 0: SE_GROUP_MANDATORY Can you get us a network trace of the LDAP traffic from the DC to the LDAP server? If that does not reveal anything, we will have to extend Samba with a lot more debugging or you need someone to get on site to run that through a debugger. Volker
Re-assigning to Volker.
*** Bug 8510 has been marked as a duplicate of this bug. ***
I had the same issue with samba 3.6.0, Volker's patch fixed it for me.
arolin, please: git cherry-pick -x 3dcec44f3edbc9c4f1946ead3480f6d01cd53e7a from for 3.6.1. This has been reviewed by Simo and has already gone into master (as the above git ref). Somehow it got missed for 3.6.1. Thanks ! Jeremy.
Pushed to v3-6-test. Closing out bug report. Please feel free to re-open if it's still an issue. Thanks!
I'm hitting the corruption bug now as well with Windows XP/2003 logons. The empty groups in 2008 was fixed by volkers patch, but there is still a problem in that code.
(In reply to comment #13) > I'm hitting the corruption bug now as well with Windows XP/2003 logons. > > The empty groups in 2008 was fixed by volkers patch, but there is still a > problem in that code. So this bug report should be re-opened? Or would a new bug report make more sense?
Created attachment 7005 [details] Patch to fix the uninitialized memory problem Traced the bug to an invalid counter, this should fix it.
Karolin, This bug needs to be reopened and a team member should review the patch I just attached so that it can be included in 3.6.1. Thanks! Wilco
New patch is completely correct. Re-opening to get this in for 3.6.1 (it is a blocker). Jeremy.
Patch going through autobuild now. Will update with the correct git ref once it's done. Thanks ! Jeremy.
Created attachment 7007 [details] git-am fix for 3.6.1 This is what got added to master. Metze please review asap as this one is a blocker for 3.6.1.
Comment on attachment 7007 [details] git-am fix for 3.6.1 Looks, good
Karolin, please add cherry-pick information to the commit message and pick it for the next possible release
Pushed to v3-6-test. Closing out bug report. Thanks a lot, Wilco!
Comment on attachment 7007 [details] git-am fix for 3.6.1 ack
oops, too late, the party is already over...
This, IMHO, is a bad decision. Shipping with a known and fixed critical issue that makes samba not useable in a customer scenario, only in order to stick with a release procedure...
(In reply to comment #25) > This, IMHO, is a bad decision. Shipping with a known and fixed critical issue > that makes samba not useable in a customer scenario, only in order to stick > with a release procedure... Wait, did I got this wrong ? If we shipped this for 3.6.1 I take back everything :-)
Guenther, I think you missed the point of Michaels comment. It's already in and will ship in 3.6.1. When he said "the party is already over" he meant that metze's review was enough and his wasn't needed to get the bug in the release :-). Jeremy.
(In reply to comment #25) > This, IMHO, is a bad decision. Shipping with a known and fixed critical issue > that makes samba not useable in a customer scenario, only in order to stick > with a release procedure... I meant too late in that this has already been ACKed by metze and pushed by Karo when I gave my ack. :-)