initgroups() system call in smbd child process doesn't get suppliementary group info from LDAP

Marco Zhang Marco.Zhang at Sun.COM
Mon Dec 1 08:30:12 GMT 2003


Hi Experts,

Here is my setup:
================
* OS:
	Solaris 9 with Native LDAP client enabled

* Samba: 
	2.2.8a compiled with OpenLDAP 2.1.22:
	# CPPFLAGS="-I/usr/local/openldap_22/include" LDFLAGS="-L/usr/local/openldap_22/lib" ./configure --prefix=/usr/local/samba_2.2.8_ldap22 --with-ldapsam

* OpenLDAP 2.1.22

* iPlanet Directory Server 5.1 is setup to as SAM


The problem is:
===============
With patch 112960-03 and below, everything works fine. With patch newer than 112960-03, Samba cann't get the supplementary group information for a user from directory server. Therefore, the user gets access denied when access to those files with supplementary group permission.


More testing and data below:
============================

There is a user which primary group id is 513 and the supplementary group id is 512.

==> With patch 112960-03 and below

	a) Debug log indicates that 2 groups are returned by sys_getgroups()

[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:initialise_groups(288)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(163)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(164)
[2003/11/30 16:34:00, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(167)
[2003/11/30 16:34:00, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(180)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(187)
  get_current_groups: user is in 2 groups: 513, 512

	b) truss output of smbd process also indicates that after initgroups() system call, it connects to LDAP server the retrieve group info

...
...
...
25864/1:           w i n b i n d _ i n i t g r o u p s
25864/1:        write(22, " ( 2 9 2", 4)                        = 4
25864/1:        write(22, " )\n", 2)                            = 2
25864/1:        getuid()                                        = 0 [0]
25864/1:        sysconfig(_CONFIG_NGROUPS)                      = 16
25864/1:        open("/etc/default/nss", O_RDONLY)              = 24
25864/1:        fstat64(24, 0xFFBFE158)                         = 0
...
...
...
25864/1:        getsockopt(24, SOL_SOCKET, 0x2000, 0xFFBFB6F8, 0xFFBFB6F4, 0) = 0
25864/1:        setsockopt(24, SOL_SOCKET, 0x2000, 0xFFBFB6F8, 4, 0) = 0
25864/1:        fcntl(24, F_SETFL, 0x00000082)                  = 0
25864/1:        connect(24, 0x00261BF0, 16, 1)                  = 0
25864/1:                AF_INET  name = 129.158.142.98  port = 389
...
...
...
25864/1:        write(24, 0x0025DEF0, 154)                      = 154
25864/1:           08197020102 c819104 # o u = g r o u p , d c = s i n g a p o r e
25864/1:           , d c = s u n , d c = c o m\n0101\n01030201\002011E0101\0A0 1A3
25864/1:          1904\v o b j e c t C l a s s04\n p o s i x G r o u pA31404\t m e
25864/1:           m b e r U i d0407 v a n e s s a 0 (0402 c n04\t g i d n u m b e
25864/1:           r04\f u s e r p a s s w o r d04\t m e m b e r u i d
25864/1:        time()                                          = 1070188086
25864/1:        poll(0xFFBFB4B0, 1, 30000)                      = 1
25864/1:                fd=24 ev=POLLRDNORM rev=POLLRDNORM
25864/1:        read(24, " 08198020102 d81", 8)                 = 8
25864/1:        read(24, 0x002632A5, 147)                       = 147
25864/1:          9204 4 c n = D o m a i n   A d m i n s , o u = g r o u p , d c =
25864/1:           s i n g a p o r e , d c = s u n , d c = c o m 0 Z 0150402 c n 1
25864/1:          0F04\r D o m a i n   A d m i n s 01204\t g i d n u m b e r 10504
25864/1:          03 5 1 2 0 -04\t m e m b e r u i d 1  04\r A d m i n i s t r a t
25864/1:           o r0406 x p u s e r0407 v a n e s s a
25864/1:        time()                                          = 1070188086


==> With patch newer than 112960-03

	a) Debug log indicates that only primary group id is returned by sys_getgroups()

[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(163)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(164)
[2003/11/30 16:16:05, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(167)
[2003/11/30 16:16:05, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(180)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(187)
  get_current_groups: user is in 1 groups: 513

	b) truss output of smbd also indicates that initgroups() doesn't connect to LDAP server to get group info

...
...
...
25833/1:        write(22, 0x00182358, 18)                       = 18
25833/1:           w i n b i n d _ i n i t g r o u p s
25833/1:        write(22, " ( 2 9 2", 4)                        = 4
25833/1:        write(22, " )\n", 2)                            = 2
25833/1:        getuid()                                        = 0 [0]
25833/1:        sysconfig(_CONFIG_NGROUPS)                      = 16
25833/1:        open("/etc/default/nss", O_RDONLY)              = 25
...
...
...
25833/1:        getpid()                                        = 25833 [25823]
25833/1:        putmsg(24, 0xFFBFB0F0, 0xFFBFB0E4, 0)           = 0
25833/1:                ctl:  maxlen=24   len=24   buf=0xFFBFBA20: "FF\vE5 @\002\010"..
25833/1:          FF\vE5 @\002\010\002E398\0\002B4FF\f07 0\0\0\0\v
25833/1:                dat:  maxlen=1280 len=100  buf=0xFFBFB520: " N o v   3 0   1"..
25833/1:           N o v   3 0   1 7 : 3 1 : 0 5   s m b d [ 2 5 8 3 3 ] :   [ I D
25833/1:             2 9 3 2 5 8   F A C I L I T Y _ A N D _ P R I O R I T Y ]   l
25833/1:           i b s l d a p :   S t a t u s :   9 1     M e s g :   E r r o r
25833/1:             0\n\0
...
...
...

	c) The following error appeear in /var/adm/messages

Dec  1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 91  Mesg: No such file or directory
Dec  1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 91  Mesg: Bad file number
Dec  1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 7  Mesg: Session error no available conn.
Dec  1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 91  Mesg: Error 0


Also tested by adding some debug codes in Samba source that initgroups() system call works fine only in smdb parent process but not in child smbd process.


Questions:
==========
* Any ideal for above behavours?
* Is the problem of smbd or the Solaris patch?
* Any workarounds? (Of course don't tell me to downgrade the patch 112960-03 and below)
* If is the problem of Solaris patch, anyone can contribute a simple C code the produce the same problem or even the ideal of how this C code should be written?

Thanks,
-- 

Marco Zhang             : Solution Center Engineer
Email                   : Marco.Zhang at Sun.Com
Customer Service Centre : 1800 339 2786 (in Singapore) +65 6339 2786
Online Service Centre   : http://www.sun.com/service/online/ 



More information about the samba-technical mailing list