initgroups() system call in smbd child process doesn't get suppliementary group info from LDAP 10462145

Marco Zhang Marco.Zhang at Sun.COM
Thu Dec 18 09:45:44 GMT 2003


Hi Jerry,

Sorry to trouble you. Understand you are busying on 3.0.1 release.

Just to share with you my latest findings. The problem seems to be in the compatablity bewteen OpenLdap library and Solaris 9 LDAP library.

I did a truss aginst the smbd and user level function calls:

# truss -u '*' smbd -i

With 112960-03 patch, I get:
============================

read(4, " #   $ O p e n L D A P :".., 8192)     = 388
...
    <- libldap:ldap_init() = 0x1d0180
    -> libldap:ldap_set_option(0x1d0180, 0x11, 0xffbfda0c, 0x0)
    <- libldap:ldap_set_option() = 0
    -> libldap:ldap_set_option(0x1d0180, 0x2, 0xffbfda08, 0x0)
    <- libldap:ldap_set_option() = 0
    -> libldap:ldap_set_option(0x1d0180, 0x8, 0x0, 0x0)
    <- libldap:ldap_set_option() = 0
    -> libldap:ldap_set_option(0x1d0180, 0x4, 0xffbfda04, 0x0)
    <- libldap:ldap_set_option() = 0
    -> libldap:ldap_set_option(0x1d0180, 0x3, 0xffbfda04, 0x0)
    <- libldap:ldap_set_option() = 0
    -> libldap:ldap_set_option(0x1d0180, 0x4f01, 0xffbfd9fc, 0x0)
    <- libldap:ldap_set_option() = -1
    -> libldap:ldap_simple_bind(0x1d0180, 0x1d03c8, 0x1d2e18, 0x0)
...

This is correct. It makes ldap_init() call, set some optinos, then bind to ldap...


However, with 112960-09 patch, I get:
====================================

read(4, " #   $ O p e n L D A P :".., 8192)     = 388
...
    <- libldap:ldap_init() = 0x1d0180
    -> libldap:ldap_set_option(0x1d0180, 0x3f01, 0xff03e0ec, 0x1d0180)
    <- libldap:ldap_set_option() = -1
    -> libc:___errno(0xffffffff, 0x3f01, 0xff03e0ec, 0x1d0180)
    <- libc:___errno() = 0x1cee64
    -> libc:strerror(0x2, 0x3f01, 0xff03e0ec, 0x1d0180)
...

As you can see, with patch 112960-09 initgroups() fails at ldap_set_option() without making further ldap_simple_bind() to directory server. Therefore, supplementary groups are not retrived from directory server.


Do a "find" for libldap.* library files on the system:

/usr/lib/libldap.so
/usr/lib/libldap.so.3
/usr/lib/libldap.so.4
/usr/lib/libldap.so.5
/usr/lib/sparcv9/libldap.so
/usr/lib/sparcv9/libldap.so.3
/usr/lib/sparcv9/libldap.so.4
/usr/lib/sparcv9/libldap.so.5
/usr/lib/fn/sparcv9/libldap.so
/usr/lib/fn/sparcv9/libldap.so.1
/usr/lib/fn/libldap.so
/usr/lib/fn/libldap.so.1
/usr/local/openldap_22/lib/libldap.so
/usr/local/openldap_22/lib/libldap.so.2.0.122
/usr/local/openldap_22/lib/libldap.so.2
/usr/local/openldap_22/lib/libldap.la
/usr/local/openldap_22/lib/libldap.a


Obviously, initgroups() in smbd makes use of /usr/local/openldap_22/lib/libldap.so rather than /usr/lib/libldap.so. So, I did this:

# cp /usr/lib/libldap.so.5 /usr/local/openldap_22/lib/libldap.so.2.0.122

It works for retreiving supplementray group from directory server now!!! But I am sure it will break other stuff such as tls as far as I know.

Does it ring a bell? 

Thanks,
Marco

On Wed, Dec 17, 2003 at 10:58:09AM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sorry Marco.  I got tied up in the 3.0.1 release and
> the session key bug.  I'll jump back on this tomorrow.
> 
> 
> 
> 
> jerry
> 
> Marco Zhang wrote:
> 
> >I modified smbd/server.c and changed the main() to the following:
> >
> >/*------------*/
> > int main(int argc,char *argv[])
> >{
> >        gid_t *gids,  gid;
> >        int ngroups;
> >
> >        gid = (gid_t) 513;
> >        initgroups("marco", gid);
> >        ngroups = getgroups(0, gids);
> >        printf("%d groups!\n",ngroups);
> >        return(0);
> >}
> >
> >I have a user called "marco" stored in Directory Server with 
> > primary group id 513 and suplmentary group 512.
> >
> >I compiled above and run "../sbin/smbd -i". The result are:
> >
> >- If with Solaris 9 patch 112960-03, getgroups() returns 2 groups 
> >
> >- If with Solaris 9 patch 112960-09, getgroups() returns only 1 group !?
> >
> >Well, the interesting thing is if I compile above simple code 
> > without other Samba source code context (standalone), it
> > returns 2 group regardless what patch I used.
> 
> 
> 
> - -- 
>  ----------------------------------------------------------------------
>  Hewlett-Packard            ------------------------- http://www.hp.com
>  SAMBA Team                 ---------------------- http://www.samba.org
>  GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
>  "If we're adding to the noise, turn off this song" --Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/4IshIR7qMdg1EfYRAvgkAKCBmx5EA5wPr/H2w2EMRJNvYtZ9cQCg31YQ
> 5k7hF9984rRdawNKEjsshhY=
> =xACE
> -----END PGP SIGNATURE-----
> 

-- 

Marco Zhang             : Solution Center Engineer
Email                   : Marco.Zhang at Sun.Com
Customer Service Centre : 1800 339 2786 (in Singapore) +65 6339 2786
Online Service Centre   : http://www.sun.com/service/online/ 


More information about the samba-technical mailing list