[Samba] Re: S3 domain member shares won't authorize secondary groups, only for W98

Jérôme Fenal jerome.fenal at logicacmg.com
Fri Dec 12 10:28:07 GMT 2003 

Hi list,

Last message on the topic is long so I won't reproduce it here. You can 
still read it at :
http://marc.theaimsgroup.com/?l=samba&m=107099931908523&w=2.

I have more news on this front.

I made level 10 logs from win98 with samba 3.0.1rc2 and 2.2.8a.
It seems that 2.2.8a converts the usename given by win98 to lowercase, 
which in turn makes unix return all the groups of the unix user :

[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(288)
   register_vuid: (1000,513) jerome JEROME DOMAIN guest=0
[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(298)
   register_vuid: allocated vuid = 100
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:push_sec_ctx(297)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/uid.c:push_conn_ctx(286)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:set_sec_ctx(329)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
   get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:pop_sec_ctx(436)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
   get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-513 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-550 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-1207 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-1205 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:uid_to_sid(758)
   uid_to_sid: local 1000 -> S-1-5-21-889427125-3291125262-439525394-3000
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 513 -> S-1-5-21-889427125-3291125262-439525394-2027
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 550 -> S-1-5-21-889427125-3291125262-439525394-2101
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 103 -> S-1-5-21-889427125-3291125262-439525394-1207
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 102 -> S-1-5-21-889427125-3291125262-439525394-1205

As you can see, all the lookups are done with a lowercase account name. 
And thus find all the groups that the user belongs to.

But samba 3 keeps the user given by win98 in all uppercase :

It starts by the use of username level parameter :
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam(288)
   Finding user DOMAIN\JEROME
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(223)
   Trying _Get_Pwnam(), username as lowercase is domain\jerome
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(230)
   Trying _Get_Pwnam(), username as given is DOMAIN\JEROME
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(247)
   Checking combinations of 8 uppercase letters in domain\jerome
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251)
   Get_Pwnam_internals didn't find user [DOMAIN\JEROME]!
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam(288)
   Finding user JEROME
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(223)
   Trying _Get_Pwnam(), username as lowercase is jerome
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251)
   Get_Pwnam_internals did find user [JEROME]!
[2003/12/12 10:17:15, 10] passdb/pdb_get_set.c:pdb_set_username(593)
   pdb_set_username: setting username jerome, was

So one may think that username 'jerome' (all lowercase is used).

Then comes the group membership determination :

[2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(113)
   sys_getgrouplist: user [JEROME]
[2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(122)
   sys_getgrouplist(): disabled winbindd for group lookup [user == JEROME]
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:push_sec_ctx(256)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/12 10:17:15, 3] smbd/uid.c:push_conn_ctx(287)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(486)
   NT user token: (NULL)
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
   UNIX token of user 1000
   Primary group is 513 and contains 2 supplementary groups
   Group[  0]: 513
   Group[  1]: 513

As /usr/xpg4/bin/id says, JEROME is only member of its primary group 
(see precedent posting).

Something funnier (but normal as SIDs come from the SMB wire, and Unix's 
come from local PAM) : samba get the secondary group SIDs, but not the 
Unix ones.

[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(491)
   NT user token of user S-1-5-21-1150874807-1180408084-429402335-3000
   contains 8 SIDs
   SID[  0]: S-1-5-21-1150874807-1180408084-429402335-3000
   SID[  1]: S-1-5-21-1150874807-1180408084-429402335-513
   SID[  2]: S-1-1-0
   SID[  3]: S-1-5-2
   SID[  4]: S-1-5-11
   SID[  5]: S-1-5-21-1150874807-1180408084-429402335-550
   SID[  6]: S-1-5-21-1150874807-1180408084-429402335-1207
   SID[  7]: S-1-5-21-1150874807-1180408084-429402335-1205
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
   UNIX token of user 1000
   Primary group is 513 and contains 2 supplementary groups
   Group[  0]: 513
   Group[  1]: 513

So, when the windows 98 client tries to mount the share authorized to 
the rid=1207 (gid=103) group, it ends by the refusal :

[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(521)
   user_in_list: checking user JEROME in list
[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(525)
   user_in_list: checking user |JEROME| against |+dsvi|
[2003/12/12 10:17:15, 2] smbd/service.c:make_connection_snum(391)
   user 'JEROME' (from session setup) not permitted to access this share 
(dsvi)

One thing I have not trid is to use winbind (with an LDAP idmap 
reference). I think it would work, but it would be a little overkill as 
I already have the LDAP Posix accounts distributed to my Solaris domain 
member.

So, dose anybody can tell me if this behaviour change was intentional, 
or if :
- it is a bug in the pam libraries (bot in Solaris and in PADL used by 
Linux, which should be returning group membership regardless of the 
username case ?
- it is a bug in my LDAP directory implementation, eg. I should add both 
lowercase *and* uppercase usernames to memberUid attributes to my groups ?
- it is a bug in Samba 2.2.8a, which should behave as samba 3 does ?
- it is a bug in Samba 3.0.x, which finds a username in lowercase 
(thanks to username level=8) but does not use it in the call to 
sys_getgrouplist?

I'd appreciate an answer, even if it « keep samba 2.2.8a while you're 
ripping off your win98 clients », but that one is an easy one ;-)

Best regards,

Jérôme

-- 
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

More information about the samba mailing list