[Samba] force group to Unix group in 3.0.25

Mike seowphm at starhub.net.sg
Mon May 21 04:28:19 GMT 2007 

Thanks Jerry, for the fast response to this issue.
v3.0.24, as well as gc-1 and gc-2 didn't have the problem for me.
(btw, gc-2 is still reported as gc-1 when I did "smbd -V".  I had to change 
include/version.h manually).  Only 3.0.25 had this problem for me.
I have tried patching uid.c in 3.0.25 (following the patch you posted in another mail)
and it's still not working for me (I have attached more logs/info below).
The interesting thing is the winbindd_cache.tdb file (I do purge all the tdbs between
each test to be sure nothing is leftover).  There are some entries which are
created by 3.0.25 for local Unix groups (gid 561 (localgrp) and gid 60001 (nobody))
which are not found in the same file for v3.0.24.
Are these cache entries causing the local Unixgroups to be reported as not 
mapped ?

Thanks,
Mike

---------------------------
The log.smbd errors are still the same as before so I didn't re-include them.
----------------------------
Excerpt from winbindd_cache.tdb for 3.0.25 (3.0.24 doesn't have these entries)

{
key(15) = "SN/S-1-22-2-561"      <<== 561 is the gid for the Unix group localgrp
data(8) = "s\00\00\C0\1B\FA\B6\05"
}
.....
{
key(17) = "SN/S-1-22-2-60001"    <<== 60001 is the gid for the Unix group nobody
data(8) = "s\00\00\C0\1B\FA\B6\05"
}

----------------------------
log.winbindd - 3.0.25 (patched uid.c)

[2007/05/21 10:33:55, 10] nsswitch/winbindd.c:process_request(311)
  process_request: request fn LOOKUPNAME
[2007/05/21 10:33:55, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(103)
  [    0]: lookupname Unix Group\localgrp
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
  Retrieving response for pid 24151
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
  Retrieving response for pid 24151
[2007/05/21 10:33:55, 5] nsswitch/winbindd_async.c:lookupname_recv2(801)
  lookup_name returned an error
[2007/05/21 10:33:55, 5] nsswitch/winbindd_sid.c:lookupname_recv(116)
  lookupname returned an error
[2007/05/21 10:33:55, 10] nsswitch/winbindd.c:process_request(311)
  process_request: request fn SID_TO_GID
[2007/05/21 10:33:55, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
  [    0]: sid to gid S-1-22-2-561
[2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(681)
  find_lookup_domain_from_sid(S-1-22-2-561)
[2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(691)
  calling find_our_domain
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
  Retrieving response for pid 24151
[2007/05/21 10:33:55, 5] nsswitch/winbindd_async.c:lookupsid_recv(706)
  lookupsid returned an error
[2007/05/21 10:33:55, 5] nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274)
  sid2gid_lookupsid_recv: Could not convert get sid type for S-1-22-2-561


-------------------
log.wb-DOMAIN  - 3.0.25 (patched uid.c)

[2007/05/21 10:33:55, 10] nsswitch/winbindd_dual.c:child_process_request(410)
  process_request: request fn LOOKUPSID
[2007/05/21 10:33:55, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(754)
  [24150]: lookupsid S-1-22-2-561
[2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(681)
  find_lookup_domain_from_sid(S-1-22-2-561)
[2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(691)
  calling find_our_domain
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(465)
  refresh_sequence_number: DOMAIN time ok
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(499)
  refresh_sequence_number: DOMAIN seq number is now 95874700
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:centry_expired(539)
  centry_expired: Key SN/S-1-22-2-561 for domain DOMAIN is good.
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:wcache_fetch(624)
  wcache_fetch: returning entry SN/S-1-22-2-561 for domain DOMAIN
[2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:sid_to_name(1435)
  sid_to_name: [Cached] - cached name for domain DOMAIN status: NT_STATUS_NONE_MAPPED




--- "Gerald (Jerry) Carter" <jerry at samba.org> wrote:

> Christian,  The issue that setting force group on a share
> was causing all additional supplementary gids to be dropped
> from the user's token.
> 
> So setup a share that has force group = foo and then
> create a directory or file that the user should be able
> to access based on supplementary groups other than
> "foo".
> 
> You can verify the fix by looking at the NT and UNIX user
> token debug output in smbd's level 10 debug logs.
> 
> Sorry for all the hassle and the regression.  Jeremy
> and I have both looked over the code and haven't seen
> any other code paths than would be problematic so
> I think this one patch is enough.
> 
> 
> 
> cheers, jerry
> 
 


Powered by Gee! - Wireless Access Anywhere

More information about the samba mailing list