initgroups() system call in smbd child process doesn't get suppliementary group info from LDAP

Marco Zhang Marco.Zhang at Sun.COM
Wed Dec 17 10:20:08 GMT 2003


Hi Jerry,

Some more findings:


I modified smbd/server.c and changed the main() to the following:

/*------------*/
 int main(int argc,char *argv[])
{
        gid_t *gids,  gid;
        int ngroups;

        gid = (gid_t) 513;
        initgroups("marco", gid);
        ngroups = getgroups(0, gids);
        printf("%d groups!\n",ngroups);
        return(0);
}

I have a user called "marco" stored in Directory Server with primary group id 513 and suplmentary group 512.

I compiled above and run "../sbin/smbd -i". The result are:

- If with Solaris 9 patch 112960-03, getgroups() returns 2 groups 

- If with Solaris 9 patch 112960-09, getgroups() returns only 1 group !?


Well, the interesting thing is if I compile above simple code without other Samba source code context (standalone), it returns 2 group regardless what patch I used.


Would you able to give me some hint? :-(

Thanks,
Marco

On Tue, Dec 02, 2003 at 08:56:00AM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Marco Zhang wrote:
> | Hi Experts,
> |
> | Here is my setup:
> | ================
> | * OS:
> | 	Solaris 9 with Native LDAP client enabled
> |
> | * Samba:
> | 	2.2.8a compiled with OpenLDAP 2.1.22:
> | 	# CPPFLAGS="-I/usr/local/openldap_22/include"
> |       LDFLAGS="-L/usr/local/openldap_22/lib" ./configure
> |       --prefix=/usr/local/samba_2.2.8_ldap22 --with-ldapsam
> |
> | * OpenLDAP 2.1.22
> |
> | * iPlanet Directory Server 5.1 is setup to as SAM
> |
> |
> | The problem is:
> | ===============
> | With patch 112960-03 and below, everything works fine. With patch
> | newer than 112960-03, Samba cann't get the supplementary
> | group information for a user from directory server.
> | Therefore, the user gets access denied when access to
> | those files with supplementary group permission.
> 
> This sounds a lot like https://bugzilla.samba.org/show_bug.cgi?id=395
> 
> 
> | Also tested by adding some debug codes in Samba source that initgroups()
> | system call works fine only in smdb parent process but not in child smbd
> | process.
> ....
> | Questions:
> | ==========
> | * Any ideal for above behavours?
> | * Is the problem of smbd or the Solaris patch?
> | * Any workarounds? (Of course don't tell me to downgrade the
> |   patch 112960-03 and below)
> | * If is the problem of Solaris patch, anyone can contribute a
> |   simple C code the produce the same problem or even the ideal
> |   of how this C code should be written?
> 
> I'll get something to you later today hopefully.  I'd like to
> close out that bug report anyways.
> 
> 
> 
> cheeers, jerry
> ~ ----------------------------------------------------------------------
> ~ Hewlett-Packard            ------------------------- http://www.hp.com
> ~ SAMBA Team                 ---------------------- http://www.samba.org
> ~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
> ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/zKgAIR7qMdg1EfYRAuYiAKCtAGeMStu7F+U7m8YpZHg3bwbh5ACfRt4X
> vdetpiGf6hJfyYVZfUACSJs=
> =suih
> -----END PGP SIGNATURE-----
> 

-- 

Marco Zhang             : Solution Center Engineer
Email                   : Marco.Zhang at Sun.Com
Customer Service Centre : 1800 339 2786 (in Singapore) +65 6339 2786
Online Service Centre   : http://www.sun.com/service/online/ 


More information about the samba-technical mailing list