Last message on the topic is long so I won't reproduce it here. You can still read it at : http://marc.theaimsgroup.com/?l=samba&m=107099931908523&w=2. I have more news on this front. I made level 10 logs from win98 with samba 3.0.1rc2 and 2.2.8a. It seems that 2.2.8a converts the usename given by win98 to lowercase, which in turn makes unix return all the groups of the unix user : register_vuid: (1000,513) jerome JEROME DOMAIN guest=0 get_current_groups: user is in 4 groups: 513, 550, 103, 102 As you can see, all the lookups are done with a lowercase account name. And thus find all the groups that the user belongs to. But samba 3 keeps the user given by win98 in all uppercase : It starts by the use of username level parameter : Finding user DOMAIN\JEROME Trying _Get_Pwnam(), username as lowercase is domain\jerome Trying _Get_Pwnam(), username as given is DOMAIN\JEROME Checking combinations of 8 uppercase letters in domain\jerome Get_Pwnam_internals didn't find user [DOMAIN\JEROME]! Finding user JEROME Trying _Get_Pwnam(), username as lowercase is jerome Get_Pwnam_internals did find user [JEROME]! pdb_set_username: setting username jerome, was So one may think that username 'jerome' (all lowercase is used). Then comes the group membership determination : sys_getgrouplist: user [JEROME] sys_getgrouplist(): disabled winbindd for group lookup [user == JEROME] push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 push_conn_ctx(0) : conn_ctx_stack_ndx = 0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 NT user token: (NULL) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 UNIX token of user 1000 Primary group is 513 and contains 2 supplementary groups Group[ 0]: 513 Group[ 1]: 513 As /usr/xpg4/bin/id says, JEROME is only member of its primary group (see precedent posting). Something funnier (but normal as SIDs come from the SMB wire, and Unix's come from local PAM) : samba get the secondary group SIDs, but not the Unix ones. NT user token of user S-1-5-21-1150874807-1180408084-429402335-3000 contains 8 SIDs SID[ 0]: S-1-5-21-1150874807-1180408084-429402335-3000 SID[ 1]: S-1-5-21-1150874807-1180408084-429402335-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-1150874807-1180408084-429402335-550 SID[ 6]: S-1-5-21-1150874807-1180408084-429402335-1207 SID[ 7]: S-1-5-21-1150874807-1180408084-429402335-1205 UNIX token of user 1000 Primary group is 513 and contains 2 supplementary groups Group[ 0]: 513 Group[ 1]: 513 So, when the windows 98 client tries to mount the share authorized to the rid=1207 (gid=103) group, it ends by the refusal : user_in_list: checking user JEROME in list user_in_list: checking user |JEROME| against |+dsvi| user 'JEROME' (from session setup) not permitted to access this share (dsvi) So, dose anybody can tell me if this behaviour change was intentional, or if : - it is a bug in the pam libraries (bot in Solaris and in PADL used by Linux, which should be returning group membership regardless of the username case ? - it is a bug in my LDAP directory implementation, eg. I should add both lowercase *and* uppercase usernames to memberUid attributes to my groups ? - it is a bug in Samba 2.2.8a, which should behave as samba 3 does ? - it is a bug in Samba 3.0.x, which finds a username in lowercase (thanks to username level=8) but does not use it in the call to sys_getgrouplist?
Created attachment 336 [details] save the correct case of the username
This should be fixed in cvs now. Please test this patch (or the latest SAMBA_3_0 cvs tree.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.