3.0a21 and HEAD: only primary group of a domain user is set on smbd

[Ken Cross]

The behavior you're seeing is because LDAP is being used to get the
group membership rather that RPC.

Last month I posted a patch to fix this, but to my knowledge it hasn't
been incorporated.  (I'm not bitching, just explaining...)

If you're interested, check the archives for message entitled "Finding
group members - fix to winbindd_ads.c" around Feb 8.

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: 
> samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
>  
> [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> amba.org] On Behalf Of Chere Zhou
> Sent: Tuesday, March 04, 2003 8:27 PM
> To: samba-technical at lists.samba.org
> Subject: 3.0a21 and HEAD: only primary group of a domain user 
> is set on smbd 
> 
> 
> Dear list,
> 
> I know that on 2.2.5, when we get user info from winbindd, we 
> also initialize 
> group information based on the group list got from winbind, and do a 
> "setgroups" for the process, so that all of the groups the 
> user is a member 
> of is set on the smbd.
> 
> Now on 3.0a21 and HEAD, I do not see any "setgroup" operation 
> from winbind, 
> and the smbd process only got the primary group of the Win2k 
> domain user.  So 
> it fails when a file permission is checked for other groups 
> the user is a 
> member of. 
> 
> I can see that sec_ctx.c is about the only place that calls 
> sys_setgroups 
> now, when the Unix group info has only the primary group.  At 
> the same place 
> the NT token has about 9 groups for my test user.
> 
> Can somebody explain why we are not doing what 2.2.5 was 
> doing?  Is there any 
> design issue related to this?
> 
> Thanks a lot!
> 
> Chere
>