3.0a21 and HEAD: only primary group of a domain user is set on smbd

Chere Zhou qzhou at isilon.com
Mon Mar 10 21:24:28 GMT 2003 

After managed to compile HEAD on my box, I don't see that my problem is fixed 
on HEAD.  For a user that belongs to 5 groups in an ADS domain, smbd got only 
the primary group.  Here is something from the log:
[2003/03/10 13:01:58, 3] smbd/process.c:switch_message(676)
  switch message SMBntcreateX (pid 11923)
[2003/03/10 13:01:58, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (10000, 10000) - sec_ctx_stack_ndx = 0
[2003/03/10 13:01:58, 5] auth/auth_util.c:debug_nt_user_token(516)
  NT user token of user S-1-5-21-606747145-117609710-725345543-1005
  contains 9 SIDs
  SID[  0]: S-1-5-21-606747145-117609710-725345543-1005
  SID[  1]: S-1-5-21-606747145-117609710-725345543-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-606747145-117609710-725345543-3173
  SID[  6]: S-1-5-21-606747145-117609710-725345543-512
  SID[  7]: S-1-5-21-606747145-117609710-725345543-3186
  SID[  8]: S-1-5-21-606747145-117609710-725345543-3187
[2003/03/10 13:01:58, 5] auth/auth_util.c:debug_unix_user_token(530)
  UNIX token of user 10000
  Primary group is 10000 and contains 2 supplementary groups
  Group[  0]: 10000
  Group[  1]: 10000
[2003/03/10 13:01:58, 5] smbd/uid.c:change_to_user(203)
  change_to_user uid=(0,10000) gid=(0,10000)

I would expect primary group is 10000, and contains 5 or 6 groups,
10000, 10001, 10002, 10003 etc.

Is this problem familiar to anyone working on Samba 3.0?

Chere


On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote:
> On Wed, 2003-03-05 at 12:27, Chere Zhou wrote:
> > Dear list,
> >
> > I know that on 2.2.5, when we get user info from winbindd, we also
> > initialize group information based on the group list got from winbind,
> > and do a "setgroups" for the process, so that all of the groups the user
> > is a member of is set on the smbd.
> >
> > Now on 3.0a21 and HEAD, I do not see any "setgroup" operation from
> > winbind, and the smbd process only got the primary group of the Win2k
> > domain user.  So it fails when a file permission is checked for other
> > groups the user is a member of.
> >
> > I can see that sec_ctx.c is about the only place that calls sys_setgroups
> > now, when the Unix group info has only the primary group.  At the same
> > place the NT token has about 9 groups for my test user.
> >
> > Can somebody explain why we are not doing what 2.2.5 was doing?  Is there
> > any design issue related to this?
>
> If you update you HEAD checkout, you will find that I have fixed this
> 'issue'.  The problem is that the Win2k server does not report any
> groups for these users in LDAP, and as such we only use the 'primaryGid'
> attribute from the Active Directory query.  There are however
> alternative queries that can be made, and I have implemented logic to
> detect this situation (it occurs mainly in child domains, we think).
>
> Unfortunately this change is only in HEAD, not Samba 3.0 at this stage.
>
> Andrew Bartlett

More information about the samba-technical mailing list