[Samba] Re: Groups not recognized

[pgienger at ae-solutions.com]

Quoting Michal Kurowski <mkur at poczta.gazeta.pl>:

> Paul Gienger [pgienger at ae-solutions.com] wrote:
> >
> > Ok, apparently this is a solaris-vs.-LDAP issue.  I've tested with a
> > machine running Solaris 9 12/02 (that I could reboot) and with anything
> > higher than 112960-03 you can't see supplimentary groups, but with -03
> > you can do everything like you want to, although the id command never
> > shows all the groups, but I think that's a solaris-ism.

Correcting myself, on solaris you need to do an id -a but on linux a simple id
gives you all secondary groups.

> > Here's the rub, I've got a Solaris 9 8/03 box that has to be upgraded,
> > but that version is post 112960-03. Does anybody know of a way around
> > this??? I'm not completely averse to ripping out sun's nss library, but
> > that's a little more work than this cat likes to do.
>
> Certainilly problem does not appear on Solaris 9 04/03 with patch
> 112960-16.

Just to be sure, we're talking about a directory that has something like 750
perms, and the group is in the secondary groups list of the user?  I get perm
denied from samba but get in just fine on something like the unix comand line.
If so, good to hear, perhaps then I won't have issues with 8/03 -> the newer of
the two sun boxes I have to work on.  I think I read in one of the posts that
the reporter was using 12/02 (what I have), but I can't find that one now. 
Maybe if push comes to shove, both boxes can be updated to 04/04.  I guess it's
possible that the patch itself is bad or it doesn't check for some other minute
dependency.  Put updating test server to 04/04 on my to-do list :-\

> It is pretty weird you only have 112960-03.
Why is that wierd? patchrm works wonders when you need it.  This is what the bug
(395 I believe) says is the correct patch-point to get things working, and it
seems to be correct in my tests.

> What do you use as a NSS data source ?
Openldap 2.1.something, whatever comes with FC2, or are you getting at something
else?

> Do you have any patchlevel control software ?
Nope, but if I did I'd try using the sun package first.  I can't stand automatic
patching of unix boxes (this week anyway, next week may change).  We've got two
FC2 boxes that started going wierd on network transfers, and I'd much rather be
able to rule out yum sticking in some new version of a package that doesn't
play nice.

> Have you modified your pam config ?
Nope, at least not that I can remember.  Rembember, unix permissions work fine,
it's just from samba.

Just to update, I backed down to 112960-03 on my 12/02 box and things work fine.
 If I go to a windows box and run ifmember it shows me all the groups I want,
and I don't even think I have some of them groupmapped.