[Samba] Re: rid format in sambaSID

Alexander Muth alexander.muth at lgb-rlp.de
Fri Nov 14 08:19:14 GMT 2003 

John H Terpstra schrieb:
> On Thu, 13 Nov 2003 mike at jurney.org wrote:
> 
> 
>>Using ldap as my sam backend and Samba 3.0.0-2, I'm showing that samba
>>stops parsing a RID when it encounters a letter.  For example, I have an
>>accounting group with gid 2771 and therefore rid ad3.  When I list the
>>groups in the samba domain, however, I get this listing:
>>
>>Domain Admins (DOMAINSID-512) -> Domain Admins
>>Domain Users (DOMAINSID-513) -> Domain Users
>>Domain Guests (DOMAINSID-514) -> Domain Guests
>>marketing (DOMAINSID-0) -> marketing
>>support (DOMAINSID-0) -> support
>>sales (DOMAINSID-0) -> sales
>>integrators (DOMAINSID-0) -> integrators
>>accounting (DOMAINSID-0) -> accounting
>>
>>All of the groups showing RID 0 have RIDs that begin with a letter.  This
>>behavior applies to every entry in the SAM.  What's going on here?
> 
> 
> Please file a bug report on https://bugzilla.samba.org
> 
> This is a bug.
> 
> - John T.


is this maybe the cause for the problem that I described in this mail?


Marcos Martins da Silva schrieb:

 > I have installed samba 3.0.0 on a RedHat 9.0 box. I have used the rpm 
binary i got from Canada mirror. The server is a dual Pentium II 400 IBM 
NetFinity 5000. Installation was easy. Testparm outputs:
 >
 > [root at seth root]# testparm
 > Load smb config files from /etc/samba/smb.conf
 > Processing section "[desenv]"
 > Loaded services file OK.
 > 'winbind separator = +' might cause problems with group membership.
 > Server role: ROLE_DOMAIN_MEMBER
 > Press enter to see a dump of your service definitions
 >
 > # Global parameters
 > [global]
 >         workgroup = HUCFF
 >         server string = Servidor Samba
 >         security = DOMAIN
 >         password server = ROMULO
 >         log file = /var/log/samba/log.%m
 >         max log size = 50
 >         name resolve order = wins lmhosts bcast
 >         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 >         dns proxy = No
 >         wins server = 10.12.10.15
 >         idmap uid = 20000-30000
 >         idmap gid = 20000-30000
 >         template shell = /bin/bash
 >         winbind separator = +
 >         winbind cache time = 10
 >         winbind use default domain = Yes
 >         hosts allow = 10., 127.
 >
 > [desenv]
 >         comment = diretório de desenvolvimento
 >         path = /compart/desenv
 >         valid users = @Desenv
 >         write list = @Desenv
 >         read only = No
 > wbinfo -u and wbinfo -g gets users and groups from a Win2K domain 
controller (ROMULO) with no problem.
 >
 > The "desenv" share is configured to permit access from group 
"Desenv", as we can see from testparm output. The /compart/desenv path 
is configured like this:
 > [root at seth compart]# ls -lia
 > total 12
 >   16403 drwxr-xr-x    3 root     root         4096 Out 17 18:57 .
 >       2 drwxr-xr-x   20 root     root         4096 Out 20 17:03 ..
 >   16404 drwxrwsr-x   23 marcosm  Desenv       4096 Out 18 14:34 desenv
 > "Desenv" is a global group from my win2K domain (HUCFF) and marcosm 
is a "Desenv" member. Since I could use chown to set Linux permissions 
to this group and this user, I assume winbind is working fine.
 > Samba can see marcosm is member of desenv and also that Desenv 
(ID:20035) is among marcosm's groups:
 > [root at seth compart]# getent group Desenv
 > 
Desenv:x:20035:santanna,marcosm,velasco,analucia,anabraga,anarangel,trindade,bet
 > 
h,evandro,gloria,gustavom,jcarlos,bortnyk,luzimar,mgsoares,cida,osmario,mbfranca
 > ,leonardo,gmps
 > [root at seth compart]# wbinfo -r marcosm
 > 20010
 > 20035
 > 20037
 > But I can not access the share from win2k neither from linux:
 > [root at seth compart]# smbclient //seth/desenv -U marcosm
 > Password:
 > tree connect failed: NT_STATUS_ACCESS_DENIED
 > But If I put the user "marcosm" in write list and valid users lines, 
like this
 > [desenv]
 >         comment = diretório de desenvolvimento
 >         path = /compart/desenv
 >         valid users = marcosm @Desenv
 >         write list = marcosm @Desenv
 >         read only = No
 > Everything works just fine as we can see:
 > [root at seth compart]# smbclient //seth/desenv -U marcosm
 > Password:
 > smb: \> ls
 >   .                                   D        0  Sat Oct 18 14:34:05 
2003
 >   ..                                  D        0  Fri Oct 17 18:57:17 
2003
 >   Diretoria                           D        0  Sat Oct 18 14:18:51 
2003
 >   Evandro                             D        0  Sat Oct 18 14:21:46 
2003
 >   Gloria                              D        0  Sat Oct 18 14:22:50 
2003
 >   Gustavo                             D        0  Sat Oct 18 14:22:51 
2003
 >   JCarlos                             D        0  Sat Oct 18 14:22:54 
2003
 >
 >                 33001 blocks of size 1048576. 26191 blocks available
 >
 > The problem looks like samba is not expanding @Desenv as an user list 
that contains marcosm.
 > Any clues? Thanks in advance.

HI,

I have  exactly the same Problem after upgrading from samba 2.2.8a to 3.0.0.
I run Samba on Linux SLES8 and Sun Solaris 7.

Users and groups are managed on w2k domain controler.

With Samba 2.2.8a group membership works fine and is now broken in 3.0.0.

On Samba 3.0.0. "wbinfo -r" and "getent group" show the right group 
membership, but Samba is ignoring the Group membership an i get 
NT_STATUS_ACCESS_DENIED when am accessing files or directorys with group 
  read status.

Is this a general Problem? Configuration Problem?
Thanks in advance.

More information about the samba mailing list