3.0a21 and HEAD: only primary group of a domain user is set on
smbd
Ken Cross
kcross at nssolutions.com
Wed Mar 5 03:38:12 GMT 2003
The behavior you're seeing is because LDAP is being used to get the
group membership rather that RPC.
Last month I posted a patch to fix this, but to my knowledge it hasn't
been incorporated. (I'm not bitching, just explaining...)
If you're interested, check the archives for message entitled "Finding
group members - fix to winbindd_ads.c" around Feb 8.
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From:
> samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
>
> [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> amba.org] On Behalf Of Chere Zhou
> Sent: Tuesday, March 04, 2003 8:27 PM
> To: samba-technical at lists.samba.org
> Subject: 3.0a21 and HEAD: only primary group of a domain user
> is set on smbd
>
>
> Dear list,
>
> I know that on 2.2.5, when we get user info from winbindd, we
> also initialize
> group information based on the group list got from winbind, and do a
> "setgroups" for the process, so that all of the groups the
> user is a member
> of is set on the smbd.
>
> Now on 3.0a21 and HEAD, I do not see any "setgroup" operation
> from winbind,
> and the smbd process only got the primary group of the Win2k
> domain user. So
> it fails when a file permission is checked for other groups
> the user is a
> member of.
>
> I can see that sec_ctx.c is about the only place that calls
> sys_setgroups
> now, when the Unix group info has only the primary group. At
> the same place
> the NT token has about 9 groups for my test user.
>
> Can somebody explain why we are not doing what 2.2.5 was
> doing? Is there any
> design issue related to this?
>
> Thanks a lot!
>
> Chere
>
More information about the samba-technical
mailing list