[Samba] S3 domain member shares won't authorize secondary groups, only for W98

Jérôme Fenal jerome.fenal at logicacmg.com
Tue Dec 9 19:47:01 GMT 2003 

Hi list,

After kudos, time comes again with problems.

This time, still on the same setup as before :
- Linux PDC with ldapsam, ran by RH9, OpenLDAP 2.0.27 (stock RH9 
RPM+Solaris RootDSE patch), Samba 3.0.1rc1 recompiled from SRPM ;
- Linux BDC is the same ;

The PDC and BDC are working Ok, so I won't include the smb.conf from these.

- Solaris 9 domain member (jersey) gets Posix accounts from the OpenLDAP 
directory, Samba 3.0.1rc1 (home recompiled with nearly the same conf 
options as for Linux) is joined to the domain.

On the Solaris server, there is a share defined as follow :
[global]
         unix charset = CP850
         workgroup = DOMAIN
         server string = Jersey
         security = DOMAIN
         username level = 5
         log level = 10
         log file = /var/log/samba/%m
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         preferred master = No
         domain master = No
         wins server = 172.17.0.1
         admin users = root
         mangle case = Yes
         hide dot files = No
         fake oplocks = Yes
[dsvi]
         comment = Dossier commun DSVI
         path = /d2/dsvi
         valid users = +dsvi
         force group = dsvi
         read only = No
         create mask = 0774
         directory mask = 0775
         force directory mode = 0774

User defined in Unix as follow (Linux id command, from LDAP info) :
# id jerome
uid=1000(jerome) gid=513(domusers) 
groups=513(domusers),550(prtadmin),103(dsvi),102(susers)

In LDAP :
$ ldapsearch -h localhost -D 'cn=Manager,dc=domain,dc=com' -x 
'(uid=jerome)' -W -LLL
Enter LDAP Password: ********
dn: uid=jerome, ou=INFORMATIQUE, ou=Paris, ou=People, dc=domain,dc=com
sambaLMPassword: xxxxxxx
displayName:: SsOpcsO0bWUgRmVuYWw=
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
shadowLastChange: 12391
sambaHomeDrive: H:
uid: jerome
uidNumber: 1000
cn: jerome
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1069436848
loginShell: /bin/bash
sambaAcctFlags: [UX]
sambaNTPassword: xxxxxxxx
sambaPwdCanChange: 1066406719
sambaSID: S-1-5-21-1150874807-1180408084-429402335-3000
gecos: Jerome Fenal
description:: SsOpcsO0bWUgRmVuYWw=
homeDirectory: /home/jerome
sambaKickoffTime: 2147483647
sn: jerome
sambaHomePath: \\theviec\homes
sambaPwdMustChange: 2147483647
sambaLogonScript: login\jerome.bat
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-1150874807-1180408084-429402335-513
userPassword:: xxxxxxxxx
sambaLogonTime: 0

Secondary groups are mapped :
dsvi (S-1-5-21-1150874807-1180408084-429402335-1207) -> dsvi
susers (S-1-5-21-1150874807-1180408084-429402335-1205) -> susers
Domain Users (S-1-5-21-1150874807-1180408084-429402335-513) -> domusers
Printer Operators (S-1-5-21-1150874807-1180408084-429402335-550) -> prtadmin

Note that the group asked to connect to the \\jersey\dsvi share is a 
secondary group for the user.

Now, to the problem :
- if connecting from a WinXP client, no problem, netlogin goes ok, and 
the share \\jersey\dsvi is mounted from the login script (net use g: 
\\jersey\dsvi)

Connecting from a Win98 client lead to weird behaviour :
- I can logon, but the dsvi share won't mount, and it will ask me for a 
password
- if I use samba-2.2.8a (home recompiled with exactly samba options as 
Samba 3), I can login _and_ the \\jersey\dsvi share is mounted
- Back to Samba3, if I make the dsvi group jerome's *primary* group 
(either completely or only by the mean of sambaPrimaryGroupSID LDAP 
attr.), I can mount the share
- Still in Samba3 back with dsvi as secondary group, if I rename the 
user to uppercase (jerome->JEROME), and all memberUid: LDAP attr for the 
groups, it works, the share is mounted. I had the idea of doing that by 
seeing the account name uppercased in samba logs.

Wait, I can also see the following :
On Solaris (/usr/xpg4/bin/id) :
root at jersey:/root# id jerome
uid=1000(JEROME) gid=513(domusers)
root at jersey:/root# id JEROME
uid=1000(JEROME) gid=513(domusers) groups=103(dsvi),102(susers)

On Linux PDC :
# id jerome
uid=1000(JEROME) gid=513(domusers) groups=513(domusers),550(prtadmin)
# id JEROME
uid=1000(JEROME) gid=513(domusers) 
groups=513(domusers),103(dsvi),102(susers)

Seems the problem come from there...

I rename the account to lowercase, and id gives (on Linux) :
# id jerome
uid=1000(jerome) gid=513(domusers) 
groups=513(domusers),550(prtadmin),103(dsvi),102(susers)
# id JEROME
uid=1000(jerome) gid=513(domusers) groups=513(domusers)

Same 'id' result on Solaris 9.

This problem appears whatever value is given to the 'username level=' 
clause in smb.conf.

So I suspect that either 'username level=' is not honored for the search 
   of secondary groups membership, or that the username is not 
lower-cased anymore as it could have been in Samba 2.2.8a.

Or a change of behaviour between 2.2.8 and 3.0 'valid users=' clause.

I can keep Samba 2.2.8a for a while on the member server, but I'd like 
to see this behaviour fixed. I'd like to provide a patch, but it's been 
years I didn't program in C...

I can submit level 10 logs on thursday upon request on private mail (too 
much security info in them).

Regards,

Jerome

-- 
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

More information about the samba mailing list