[Samba] S3 domain member shares won't authorize secondary groups,
only for W98
jerome.fenal at logicacmg.com
Tue Dec 9 19:47:01 GMT 2003
After kudos, time comes again with problems.
This time, still on the same setup as before :
- Linux PDC with ldapsam, ran by RH9, OpenLDAP 2.0.27 (stock RH9
RPM+Solaris RootDSE patch), Samba 3.0.1rc1 recompiled from SRPM ;
- Linux BDC is the same ;
The PDC and BDC are working Ok, so I won't include the smb.conf from these.
- Solaris 9 domain member (jersey) gets Posix accounts from the OpenLDAP
directory, Samba 3.0.1rc1 (home recompiled with nearly the same conf
options as for Linux) is joined to the domain.
On the Solaris server, there is a share defined as follow :
unix charset = CP850
workgroup = DOMAIN
server string = Jersey
security = DOMAIN
username level = 5
log level = 10
log file = /var/log/samba/%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
domain master = No
wins server = 172.17.0.1
admin users = root
mangle case = Yes
hide dot files = No
fake oplocks = Yes
comment = Dossier commun DSVI
path = /d2/dsvi
valid users = +dsvi
force group = dsvi
read only = No
create mask = 0774
directory mask = 0775
force directory mode = 0774
User defined in Unix as follow (Linux id command, from LDAP info) :
# id jerome
In LDAP :
$ ldapsearch -h localhost -D 'cn=Manager,dc=domain,dc=com' -x
'(uid=jerome)' -W -LLL
Enter LDAP Password: ********
dn: uid=jerome, ou=INFORMATIQUE, ou=Paris, ou=People, dc=domain,dc=com
gecos: Jerome Fenal
Secondary groups are mapped :
dsvi (S-1-5-21-1150874807-1180408084-429402335-1207) -> dsvi
susers (S-1-5-21-1150874807-1180408084-429402335-1205) -> susers
Domain Users (S-1-5-21-1150874807-1180408084-429402335-513) -> domusers
Printer Operators (S-1-5-21-1150874807-1180408084-429402335-550) -> prtadmin
Note that the group asked to connect to the \\jersey\dsvi share is a
secondary group for the user.
Now, to the problem :
- if connecting from a WinXP client, no problem, netlogin goes ok, and
the share \\jersey\dsvi is mounted from the login script (net use g:
Connecting from a Win98 client lead to weird behaviour :
- I can logon, but the dsvi share won't mount, and it will ask me for a
- if I use samba-2.2.8a (home recompiled with exactly samba options as
Samba 3), I can login _and_ the \\jersey\dsvi share is mounted
- Back to Samba3, if I make the dsvi group jerome's *primary* group
(either completely or only by the mean of sambaPrimaryGroupSID LDAP
attr.), I can mount the share
- Still in Samba3 back with dsvi as secondary group, if I rename the
user to uppercase (jerome->JEROME), and all memberUid: LDAP attr for the
groups, it works, the share is mounted. I had the idea of doing that by
seeing the account name uppercased in samba logs.
Wait, I can also see the following :
On Solaris (/usr/xpg4/bin/id) :
root at jersey:/root# id jerome
root at jersey:/root# id JEROME
uid=1000(JEROME) gid=513(domusers) groups=103(dsvi),102(susers)
On Linux PDC :
# id jerome
uid=1000(JEROME) gid=513(domusers) groups=513(domusers),550(prtadmin)
# id JEROME
Seems the problem come from there...
I rename the account to lowercase, and id gives (on Linux) :
# id jerome
# id JEROME
uid=1000(jerome) gid=513(domusers) groups=513(domusers)
Same 'id' result on Solaris 9.
This problem appears whatever value is given to the 'username level='
clause in smb.conf.
So I suspect that either 'username level=' is not honored for the search
of secondary groups membership, or that the username is not
lower-cased anymore as it could have been in Samba 2.2.8a.
Or a change of behaviour between 2.2.8 and 3.0 'valid users=' clause.
I can keep Samba 2.2.8a for a while on the member server, but I'd like
to see this behaviour fixed. I'd like to provide a patch, but it's been
years I didn't program in C...
I can submit level 10 logs on thursday upon request on private mail (too
much security info in them).
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
More information about the samba