WARNING to those running Samba on OpenIndiana or other Illumos based systems with > 16 groups

Ira Cooper ira at samba.org
Sun Jul 14 07:50:29 MDT 2013

On Sun, Jul 14, 2013 at 8:23 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2013-04-24 at 10:31 +1000, Andrew Bartlett wrote:
> > Just a heads-up, because this bug took me absolutely ages to chase down,
> > and I want to save others the same pain.
> >
> > Samba is perhaps the most prominent reason why you might find a user in
> > more than 16 groups on a Unix system, and so this bug may at first
> > appear to be a 'Samba issue' (that certainly is why it found it's way to
> > my attention :-)
> >
> > https://www.illumos.org/issues/3691
> >
> > In short, unless the group list we supply to setgroups() is sorted, if
> > there are more than 16 groups, the Illumos kernel fails to honour some
> > of the groups.  Presumably there is a bisection search being done.
> >
> > The symptom for Samba users is that as a user is added to more groups,
> > they loose access to folders they previously had access too.
> >
> > Attached is a total hack that appears to resolve the issue, but the real
> > fix needs to be in glibc or the kernel.
> Just as a follow-up, if you experience this please also see
> https://www.illumos.org/issues/3577 and
> https://bugzilla.samba.org/show_bug.cgi?id=7588 for WORKAROUNDS if you
> cannot fix/change your host OS.  There is a patch for nss_winbind and
> smbd attached to that bug, both of which are required to ensure both
> Samba and other unix applications see all the windows groups.
> As we have now had success getting this fixed upstream I've not had time
> to get back to applying these to Samba when we run on Solaris, but the
> view was that for the small cost of a qsort we probably should.  If a
> DENY ACL is involved, this may also be a SECURITY issue, which is how we
> finally got the route cause addressed upstream.


As the upstream developer who fixed the issue: The fix had nothing to do
with security.  It had to do with Bjorn posting the root cause, and that
frankly I found sorting the list in samba beyond fugly.

I look at the fact you sorted the list in samba and just shake my head...
 The same qsort put in the illumos kernel fixes the issue for good.

Given our past history with such bugs, I'd expect we'll tell people to
upgrade their OS.



More information about the samba-technical mailing list