Bug 9288 - Samba-3.6.5 "force group = domain\group" parameter results in group to faulty GID(always 1008)
Samba-3.6.5 "force group = domain\group" parameter results in group to faulty...
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts
3.6.5
All All
: P5 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-13 17:26 UTC by jinyunshuai
Modified: 2012-10-17 09:32 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jinyunshuai 2012-10-13 17:26:12 UTC
Note:sau1 is a normal AD user from asmb.test, but it is not a member of group
"asmb\sag1", the machine joined to asmb.test domain. asmb\sag1'gid is 10001

Edit smb.conf, then set "force group = +asmb\sag1" for samba share named
samba-test
=====================================================================
[samba-test]
path = /samba-test
public = yes
force create mode = 0775
force directory mode = 0775
force group = asmb\sag1
writable = yes
=====================================================================

3. Access samba share via "sau1",and create a directory named "test"
=====================================================================
[root@rhel57v3 samba]# smbclient -U sau1%password
//server-ip/samba-test

smb: \> mkdir test
=====================================================================

4. Go to "samba-test", check the directory' attribute which is created in
step#3 
=====================================================================
[root@rhel57v3 samba-test]# ls -al
total 32
drwxrwxrwx  4 root root 4096 Oct 11 13:43 .
drwxr-xr-x 26 root root 4096 Oct 11 13:40 ..
drwxrwxr-x  2 sac2 sag1 4096 Oct 11 13:43 samba
drwxrwxr-x  2 sbu1 1008 4096 Oct 11 13:42 test  <-------This is unexpected,
directory's group should be "sag1",not 1008.
Comment 1 jinyunshuai 2012-10-13 17:27:41 UTC
*** Bug 9287 has been marked as a duplicate of this bug. ***
Comment 2 jinyunshuai 2012-10-13 17:37:36 UTC
[2012/10/14 01:32:59.274669,  4] smbd/reply.c:794(reply_tcon_and_X)
  Client requested device type [?????] for share [SAMBA-TEST]
[2012/10/14 01:32:59.274738,  5] smbd/service.c:1321(make_connection)
  making a connection to 'normal' service samba-test
[2012/10/14 01:32:59.274792,  3] lib/access.c:338(allow_access)
  Allowed connection from 10.100.60.34 (10.100.60.34)
[2012/10/14 01:32:59.274842, 10] smbd/share_access.c:241(user_ok_token)
  user_ok_token: share samba-test is ok for unix user ASMB\sau1
[2012/10/14 01:32:59.275127,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user ASMB\sau1
[2012/10/14 01:32:59.275198,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is asmb\sau1
[2012/10/14 01:32:59.275246,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [ASMB\sau1]!
[2012/10/14 01:32:59.275319, 10] passdb/lookup_sid.c:76(lookup_name)
  lookup_name: asmb\sag1 => domain=[asmb], name=[sag1]
[2012/10/14 01:32:59.275397, 10] passdb/lookup_sid.c:77(lookup_name)
  lookup_name: flags = 0x077
[2012/10/14 01:32:59.283457, 10] passdb/lookup_sid.c:1636(sid_to_gid)
  sid S-1-5-21-389355910-562143428-3661938687-1110 -> gid 1008    
<<<< to faulty GID, it should 10001


[2012/10/14 01:32:59.283526,  3] smbd/service.c:581(find_forced_group)
  Forced group asmb\sag1
[2012/10/14 01:32:59.283578, 10] smbd/service.c:162(set_conn_connectpath)
  set_conn_connectpath: service samba-test, connectpath = /samba-test
[2012/10/14 01:32:59.283627,  3] smbd/service.c:837(make_connection_snum)
  Connect path is '/samba-test' for service [samba-test]
[2012/10/14 01:32:59.283688, 10] ../libcli/security/access_check.c:58(se_map_generic)
  se_map_generic(): mapped mask 0x10000000 to 0x001f01ff
[2012/10/14 01:32:59.283807, 10] ../libcli/security/access_check.c:178(se_access_check)
  se_access_check: MAX desired = 0x2000000, granted = 0x101f01ff, remaining = 0x101f01ff
[2012/10/14 01:32:59.283957,  3] smbd/vfs.c:102(vfs_init_default)
  Initialising default vfs hooks
[2012/10/14 01:32:59.284011,  3] smbd/vfs.c:128(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2012/10/14 01:32:59.284057, 10] smbd/vfs.c:53(vfs_find_backend_entry)
  vfs_find_backend_entry called for /[Default VFS]/
  Successfully loaded vfs module [/[Default VFS]/] with the new modules system
[2012/10/14 01:32:59.284147,  5] smbd/connection.c:134(claim_connection)
  claiming [samba-test]
[2012/10/14 01:32:59.284273, 10
Comment 3 jinyunshuai 2012-10-13 18:04:15 UTC
If use "force group = sag1" instead of "force group = asmb\sag1" can work arround this issue.
Comment 4 jinyunshuai 2012-10-17 07:40:27 UTC
The issue just exists following situation:

1>With “force group = domain-name\group-name” (not add + character)  setting ,  the user’s primary group is not “group-name”(include user  in the “group-name” but is not primary group  and  not in the “group-name”)
2>With “force group = +domain-name\group-name” (add + character)  setting ,  the user’s primary group is not “group-name”, but in  “group-name”.
Comment 5 jinyunshuai 2012-10-17 09:32:32 UTC
There are some tiny errors in bug description,
  
1> it did not add ‘+’  character when testing
as smb.conf show:

[samba-test]
path = /samba-test
public = yes
force create mode = 0775
force directory mode = 0775
force group = asmb\sag1
writable = yes


2> uid is correct, not sbu1 but sau1 in step4.  

as 
 Go to "samba-test", check the directory' attribute which is created in
step#3 
=====================================================================
[root@rhel57v3 samba-test]# ls -al
total 32
drwxrwxrwx  4 root root 4096 Oct 11 13:43 .
drwxr-xr-x 26 root root 4096 Oct 11 13:40 ..
drwxrwxr-x  2 sac2 sag1 4096 Oct 11 13:43 samba
drwxrwxr-x  2 sau1 1008 4096 Oct 11 13:42 test  <-------This is unexpected,
directory's group should be "sag1",not 1008.