Fixed: Re: 3.0a21 and HEAD: only primary group of a domain user is
set on smbd
Chere Zhou
qzhou at isilon.com
Tue Mar 11 20:33:29 GMT 2003
Turns out that because I do not have nsswitch, I need to hack
sys_getgrouplist to query winbind for domain users. Did not have to do that
for 2.2.x. I should have said that I am on FreeBSD.
Anyway, thanks for all the answers.
Chere
On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote:
> On Wed, 2003-03-05 at 12:27, Chere Zhou wrote:
> > Dear list,
> >
> > I know that on 2.2.5, when we get user info from winbindd, we also
> > initialize group information based on the group list got from winbind,
> > and do a "setgroups" for the process, so that all of the groups the user
> > is a member of is set on the smbd.
> >
> > Now on 3.0a21 and HEAD, I do not see any "setgroup" operation from
> > winbind, and the smbd process only got the primary group of the Win2k
> > domain user. So it fails when a file permission is checked for other
> > groups the user is a member of.
> >
> > I can see that sec_ctx.c is about the only place that calls sys_setgroups
> > now, when the Unix group info has only the primary group. At the same
> > place the NT token has about 9 groups for my test user.
> >
> > Can somebody explain why we are not doing what 2.2.5 was doing? Is there
> > any design issue related to this?
>
> If you update you HEAD checkout, you will find that I have fixed this
> 'issue'. The problem is that the Win2k server does not report any
> groups for these users in LDAP, and as such we only use the 'primaryGid'
> attribute from the Active Directory query. There are however
> alternative queries that can be made, and I have implemented logic to
> detect this situation (it occurs mainly in child domains, we think).
>
> Unfortunately this change is only in HEAD, not Samba 3.0 at this stage.
>
> Andrew Bartlett
More information about the samba-technical
mailing list