3.0a21 and HEAD: only primary group of a domain user is set on smbd

Andrew Bartlett abartlet at samba.org
Wed Mar 5 07:48:50 GMT 2003 

On Wed, 2003-03-05 at 12:27, Chere Zhou wrote:
> Dear list,
> 
> I know that on 2.2.5, when we get user info from winbindd, we also initialize 
> group information based on the group list got from winbind, and do a 
> "setgroups" for the process, so that all of the groups the user is a member 
> of is set on the smbd.
> 
> Now on 3.0a21 and HEAD, I do not see any "setgroup" operation from winbind, 
> and the smbd process only got the primary group of the Win2k domain user.  So 
> it fails when a file permission is checked for other groups the user is a 
> member of. 
> 
> I can see that sec_ctx.c is about the only place that calls sys_setgroups 
> now, when the Unix group info has only the primary group.  At the same place 
> the NT token has about 9 groups for my test user.
> 
> Can somebody explain why we are not doing what 2.2.5 was doing?  Is there any 
> design issue related to this?

If you update you HEAD checkout, you will find that I have fixed this
'issue'.  The problem is that the Win2k server does not report any
groups for these users in LDAP, and as such we only use the 'primaryGid'
attribute from the Active Directory query.  There are however
alternative queries that can be made, and I have implemented logic to
detect this situation (it occurs mainly in child domains, we think). 

Unfortunately this change is only in HEAD, not Samba 3.0 at this stage.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030305/b70f9b8f/attachment.bin

More information about the samba-technical mailing list