initgroups() system call in smbd child process doesn't get
suppliementary group info from LDAP
Marco Zhang
Marco.Zhang at Sun.COM
Mon Dec 1 08:30:12 GMT 2003
Hi Experts,
Here is my setup:
================
* OS:
Solaris 9 with Native LDAP client enabled
* Samba:
2.2.8a compiled with OpenLDAP 2.1.22:
# CPPFLAGS="-I/usr/local/openldap_22/include" LDFLAGS="-L/usr/local/openldap_22/lib" ./configure --prefix=/usr/local/samba_2.2.8_ldap22 --with-ldapsam
* OpenLDAP 2.1.22
* iPlanet Directory Server 5.1 is setup to as SAM
The problem is:
===============
With patch 112960-03 and below, everything works fine. With patch newer than 112960-03, Samba cann't get the supplementary group information for a user from directory server. Therefore, the user gets access denied when access to those files with supplementary group permission.
More testing and data below:
============================
There is a user which primary group id is 513 and the supplementary group id is 512.
==> With patch 112960-03 and below
a) Debug log indicates that 2 groups are returned by sys_getgroups()
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:initialise_groups(288)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(163)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(164)
[2003/11/30 16:34:00, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(167)
[2003/11/30 16:34:00, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(180)
[2003/11/30 16:34:00, 3] smbd/sec_ctx.c:get_current_groups(187)
get_current_groups: user is in 2 groups: 513, 512
b) truss output of smbd process also indicates that after initgroups() system call, it connects to LDAP server the retrieve group info
...
...
...
25864/1: w i n b i n d _ i n i t g r o u p s
25864/1: write(22, " ( 2 9 2", 4) = 4
25864/1: write(22, " )\n", 2) = 2
25864/1: getuid() = 0 [0]
25864/1: sysconfig(_CONFIG_NGROUPS) = 16
25864/1: open("/etc/default/nss", O_RDONLY) = 24
25864/1: fstat64(24, 0xFFBFE158) = 0
...
...
...
25864/1: getsockopt(24, SOL_SOCKET, 0x2000, 0xFFBFB6F8, 0xFFBFB6F4, 0) = 0
25864/1: setsockopt(24, SOL_SOCKET, 0x2000, 0xFFBFB6F8, 4, 0) = 0
25864/1: fcntl(24, F_SETFL, 0x00000082) = 0
25864/1: connect(24, 0x00261BF0, 16, 1) = 0
25864/1: AF_INET name = 129.158.142.98 port = 389
...
...
...
25864/1: write(24, 0x0025DEF0, 154) = 154
25864/1: 08197020102 c819104 # o u = g r o u p , d c = s i n g a p o r e
25864/1: , d c = s u n , d c = c o m\n0101\n01030201\002011E0101\0A0 1A3
25864/1: 1904\v o b j e c t C l a s s04\n p o s i x G r o u pA31404\t m e
25864/1: m b e r U i d0407 v a n e s s a 0 (0402 c n04\t g i d n u m b e
25864/1: r04\f u s e r p a s s w o r d04\t m e m b e r u i d
25864/1: time() = 1070188086
25864/1: poll(0xFFBFB4B0, 1, 30000) = 1
25864/1: fd=24 ev=POLLRDNORM rev=POLLRDNORM
25864/1: read(24, " 08198020102 d81", 8) = 8
25864/1: read(24, 0x002632A5, 147) = 147
25864/1: 9204 4 c n = D o m a i n A d m i n s , o u = g r o u p , d c =
25864/1: s i n g a p o r e , d c = s u n , d c = c o m 0 Z 0150402 c n 1
25864/1: 0F04\r D o m a i n A d m i n s 01204\t g i d n u m b e r 10504
25864/1: 03 5 1 2 0 -04\t m e m b e r u i d 1 04\r A d m i n i s t r a t
25864/1: o r0406 x p u s e r0407 v a n e s s a
25864/1: time() = 1070188086
==> With patch newer than 112960-03
a) Debug log indicates that only primary group id is returned by sys_getgroups()
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(163)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(164)
[2003/11/30 16:16:05, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(167)
[2003/11/30 16:16:05, 3] lib/system.c:sys_getgroups(655)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(180)
[2003/11/30 16:16:05, 3] smbd/sec_ctx.c:get_current_groups(187)
get_current_groups: user is in 1 groups: 513
b) truss output of smbd also indicates that initgroups() doesn't connect to LDAP server to get group info
...
...
...
25833/1: write(22, 0x00182358, 18) = 18
25833/1: w i n b i n d _ i n i t g r o u p s
25833/1: write(22, " ( 2 9 2", 4) = 4
25833/1: write(22, " )\n", 2) = 2
25833/1: getuid() = 0 [0]
25833/1: sysconfig(_CONFIG_NGROUPS) = 16
25833/1: open("/etc/default/nss", O_RDONLY) = 25
...
...
...
25833/1: getpid() = 25833 [25823]
25833/1: putmsg(24, 0xFFBFB0F0, 0xFFBFB0E4, 0) = 0
25833/1: ctl: maxlen=24 len=24 buf=0xFFBFBA20: "FF\vE5 @\002\010"..
25833/1: FF\vE5 @\002\010\002E398\0\002B4FF\f07 0\0\0\0\v
25833/1: dat: maxlen=1280 len=100 buf=0xFFBFB520: " N o v 3 0 1"..
25833/1: N o v 3 0 1 7 : 3 1 : 0 5 s m b d [ 2 5 8 3 3 ] : [ I D
25833/1: 2 9 3 2 5 8 F A C I L I T Y _ A N D _ P R I O R I T Y ] l
25833/1: i b s l d a p : S t a t u s : 9 1 M e s g : E r r o r
25833/1: 0\n\0
...
...
...
c) The following error appeear in /var/adm/messages
Dec 1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 91 Mesg: No such file or directory
Dec 1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 91 Mesg: Bad file number
Dec 1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn.
Dec 1 10:30:29 v4u-v120a smbd[25833]: [ID 293258 user.error] libsldap: Status: 91 Mesg: Error 0
Also tested by adding some debug codes in Samba source that initgroups() system call works fine only in smdb parent process but not in child smbd process.
Questions:
==========
* Any ideal for above behavours?
* Is the problem of smbd or the Solaris patch?
* Any workarounds? (Of course don't tell me to downgrade the patch 112960-03 and below)
* If is the problem of Solaris patch, anyone can contribute a simple C code the produce the same problem or even the ideal of how this C code should be written?
Thanks,
--
Marco Zhang : Solution Center Engineer
Email : Marco.Zhang at Sun.Com
Customer Service Centre : 1800 339 2786 (in Singapore) +65 6339 2786
Online Service Centre : http://www.sun.com/service/online/
More information about the samba-technical
mailing list