Bug 882 - secondary UNIX groups fail on Solaris for WIn98 clients
secondary UNIX groups fail on Solaris for WIn98 clients
Product: Samba 3.0
Classification: Unclassified
Component: File Services
Other other
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Depends on:
  Show dependency treegraph
Reported: 2003-12-12 06:46 UTC by Gerald (Jerry) Carter
Modified: 2005-08-24 10:25 UTC (History)
1 user (show)

See Also:

save the correct case of the username (2.56 KB, patch)
2003-12-22 13:31 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gerald (Jerry) Carter 2003-12-12 06:46:17 UTC
Last message on the topic is long so I won't reproduce it 
here. You can still read it at :


I have more news on this front.

I made level 10 logs from win98 with samba 3.0.1rc2 
and 2.2.8a.  It seems that 2.2.8a converts the usename 
given by win98 to lowercase, which in turn makes unix 
return all the groups of the unix user :

  register_vuid: (1000,513) jerome JEROME DOMAIN guest=0
  get_current_groups: user is in 4 groups: 513, 550, 103, 102

As you can see, all the lookups are done with a lowercase 
account name. And thus find all the groups that the user 
belongs to.

But samba 3 keeps the user given by win98 in all uppercase :

It starts by the use of username level parameter :

  Finding user DOMAIN\JEROME
  Trying _Get_Pwnam(), username as lowercase is domain\jerome
  Trying _Get_Pwnam(), username as given is DOMAIN\JEROME
  Checking combinations of 8 uppercase letters in domain\jerome
  Get_Pwnam_internals didn't find user [DOMAIN\JEROME]!
  Finding user JEROME
  Trying _Get_Pwnam(), username as lowercase is jerome
  Get_Pwnam_internals did find user [JEROME]!
  pdb_set_username: setting username jerome, was

So one may think that username 'jerome' (all lowercase 
is used).

Then comes the group membership determination :

  sys_getgrouplist: user [JEROME]
  sys_getgrouplist(): disabled winbindd for group lookup [user == JEROME]
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
  NT user token: (NULL)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
  UNIX token of user 1000
  Primary group is 513 and contains 2 supplementary groups
  Group[  0]: 513
  Group[  1]: 513

As /usr/xpg4/bin/id says, JEROME is only member of 
its primary group (see precedent posting).

Something funnier (but normal as SIDs come from the SMB wire, 
and Unix's come from local PAM) : samba get the secondary 
group SIDs, but not the Unix ones.

  NT user token of user S-1-5-21-1150874807-1180408084-429402335-3000
  contains 8 SIDs
  SID[  0]: S-1-5-21-1150874807-1180408084-429402335-3000
  SID[  1]: S-1-5-21-1150874807-1180408084-429402335-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-1150874807-1180408084-429402335-550
  SID[  6]: S-1-5-21-1150874807-1180408084-429402335-1207
  SID[  7]: S-1-5-21-1150874807-1180408084-429402335-1205
  UNIX token of user 1000
  Primary group is 513 and contains 2 supplementary groups
  Group[  0]: 513
  Group[  1]: 513

So, when the windows 98 client tries to mount the 
share authorized to the rid=1207 (gid=103) group, it ends 
by the refusal :

  user_in_list: checking user JEROME in list
  user_in_list: checking user |JEROME| against |+dsvi|
  user 'JEROME' (from session setup) not permitted to 
     access this share (dsvi)

So, dose anybody can tell me if this behaviour change was 
intentional, or if :

- it is a bug in the pam libraries (bot in Solaris and in PADL 
  used by Linux, which should be returning group membership 
  regardless of the username case ?
- it is a bug in my LDAP directory implementation, eg. I should 
  add both lowercase *and* uppercase usernames to memberUid attributes 
  to my groups ?
- it is a bug in Samba 2.2.8a, which should behave as samba 3 does ?
- it is a bug in Samba 3.0.x, which finds a username in lowercase 
  (thanks to username level=8) but does not use it in the call 
  to sys_getgrouplist?
Comment 1 Gerald (Jerry) Carter 2003-12-22 13:31:31 UTC
Created attachment 336 [details]
save the correct case of the username
Comment 2 Gerald (Jerry) Carter 2003-12-22 13:32:09 UTC
This should be fixed in cvs now.  Please test this patch (or the 
latest SAMBA_3_0 cvs tree.
Comment 3 Gerald (Jerry) Carter 2005-08-24 10:25:40 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.