WARNING to those running Samba on OpenIndiana or other Illumos based systems with > 16 groups

Andrew Bartlett abartlet at samba.org
Sun Jul 14 06:23:42 MDT 2013

On Wed, 2013-04-24 at 10:31 +1000, Andrew Bartlett wrote:
> Just a heads-up, because this bug took me absolutely ages to chase down,
> and I want to save others the same pain.
> Samba is perhaps the most prominent reason why you might find a user in
> more than 16 groups on a Unix system, and so this bug may at first
> appear to be a 'Samba issue' (that certainly is why it found it's way to
> my attention :-)
> https://www.illumos.org/issues/3691
> In short, unless the group list we supply to setgroups() is sorted, if
> there are more than 16 groups, the Illumos kernel fails to honour some
> of the groups.  Presumably there is a bisection search being done. 
> The symptom for Samba users is that as a user is added to more groups,
> they loose access to folders they previously had access too. 
> Attached is a total hack that appears to resolve the issue, but the real
> fix needs to be in glibc or the kernel. 

Just as a follow-up, if you experience this please also see 
https://www.illumos.org/issues/3577 and
https://bugzilla.samba.org/show_bug.cgi?id=7588 for WORKAROUNDS if you
cannot fix/change your host OS.  There is a patch for nss_winbind and
smbd attached to that bug, both of which are required to ensure both
Samba and other unix applications see all the windows groups. 

As we have now had success getting this fixed upstream I've not had time
to get back to applying these to Samba when we run on Solaris, but the
view was that for the small cost of a qsort we probably should.  If a
DENY ACL is involved, this may also be a SECURITY issue, which is how we
finally got the route cause addressed upstream.


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list